Stream: ibm
Topic: GET Patients
Sagar Sarvankar (Mar 21 2022 at 13:51):
Hello @Lee Surprenant ,
This is with reference to doing a GET on https://3.92.228.209:9443/fhir-server/api/v4/Patient using smartonfhir.
I tried sending scopes user/. to do a GET all patients, but it says "Authorization token is missing 'patient_id' claim".
My token is as below:
{
"nbf": 1647868834,
"exp": 1647872434,
"iss": "https://oauthserver.justtest.in",
"aud": [
"https://fhirserver.justtest.in:9443/fhir-server/api/v4",
"Inferno"
],
"client_id": "InternalToken",
"jti": "E6F5283E7911A8775E78004B7B28274D",
"iat": 1647868834,
"upn": "fhiruser",
"need_patient_banner": "false",
"smart_style_url": "https://oauthserver.justtest.in/SmartOnFHIR/v1.json",
"scope": "user/.",
"group": [
"FHIRUsers",
"FHIRAdmins"
]
}
Is it required to always send 'patient_id' as part of the token?
My use case is, a provider logs into an app, after it is authorized by the OAuth application, it needs to get the patients in the FHIR server.
Could you please share your thoughts on this?
Regards.
Sagar
Lee Surprenant (Mar 21 2022 at 13:55):
yes, the current design is that there is a patient_id claim in the token that lists all the patients to which the current user has access. its definitely NOT the only way to do this so feedback is welcome
Lee Surprenant (Mar 21 2022 at 13:56):
aside: "user/." looks funny, i assume you just lost the * while copy/pasting?
Lee Surprenant (Mar 21 2022 at 13:57):
question: would you expect user/*.* to grant access to all patients by default? are you doing anything to limit what the user has access to?
Sagar Sarvankar (Mar 21 2022 at 14:01):
yes, i think within an organization, all providers have access to all patients.
so when a provider logs in, how can he retrieve all the patients in that organization, although he may not have created some of these?
yes, "user/." was actually "user/star.star". Sorry for the typo. That "star" is getting lost in the chat.
Sagar Sarvankar (Mar 22 2022 at 06:03):
Question: "would you expect user/star.star to grant access to all patients by default? are you doing anything to limit what the user has access to?"
Answer: Yes, I would like 'user/star.star' to have access to all patients by default. And further access on all the resources of that selected patient (which will be in the token).
Lee Surprenant (Mar 22 2022 at 12:26):
yes, i think within an organization, all providers have access to all patients.
so when a provider logs in, how can he retrieve all the patients in that organization, although he may not have created some of these?
Answer: Yes, I would like 'user/star.star' to have access to all patients by default. And further access on all the resources of that selected patient (which will be in the token).
The second sentence doesn't make sense to me
Lee Surprenant (Mar 22 2022 at 13:37):
I just opened https://github.com/IBM/FHIR/issues/3495 ...please let me know if that behavior change would match your expectations as a user
Sagar Sarvankar (Mar 23 2022 at 09:19):
Yes, that is fine.
Thank you, @Lee Surprenant
Vadim Peretokin (Mar 28 2022 at 15:43):
@Alexander Zautke want to double-check if Firely Server is similar on this?
Alexander Zautke (Apr 04 2022 at 19:10):
Sorry, @Vadim Peretokin. I wasn't subscribed to this stream and didn't yet a notification. No, Firely Server will grant you by default access to all resources if you have a user-level scope. For modelling user-level access, I would be looking at GraphDefinitions to represent what is in scope and what isn't.
Lee Surprenant (Apr 05 2022 at 17:08):
Thanks for chiming in Vadim and Alexander... that sounds consistent with the change I mention above and we plan to include that change in our next release.
Last updated: Apr 12 2022 at 19:14 UTC
