FHIR Chat · fhir-smart · ibm

Stream: ibm

Topic: fhir-smart

view this post on Zulip Sibren Talens (Nov 24 2021 at 16:12):

Hello,

We're trying to get the IBM FHIR server running with SMART launch context. We have an application that issues JWTs, and we can successfully authenticate users using the mpJwt feature. We're now looking to limit the scope of these users using the fhir-smart userlib module. However, we think the PersistenceInterceptor is not being loaded, because we can't find the log messages relating to the FHIRPersistenceInterceptorMgr or AuthzPolicyEnforcementPersistenceInterceptor.

The contents of our userlib directory, using github.com/Alvearie/health-patterns/data-access as a base, but increasing the version to 4.10.1:

fhir-smart-4.10.1.jar
fhir-ig-us-core-4.10.1.jar

Last log lines after startup:

ibm-fhir_1   | [11/24/21, 15:56:25:081 UTC] 00000037 FeatureManage A   CWWKF0012I: The server installed the following features: [appSecurity-2.0, appSecurity-3.0, batch-1.0, batchManagement-1.0, cdi-2.0, distributedMap-1.0, el-3.0, jaxrs-2.1, jaxrsClient-2.1, jdbc-4.1, jndi-1.0, json-1.0, jsonp-1.1, jwt-1.0, localConnector-1.0, mpConfig-2.0, mpJwt-1.2, servlet-4.0, ssl-1.0, transportSecurity-1.0, websocket-1.1].
ibm-fhir_1   | [11/24/21, 15:56:25:081 UTC] 00000037 FeatureManage I   CWWKF0008I: Feature update completed in 5.830 seconds.
ibm-fhir_1   | [11/24/21, 15:56:25:081 UTC] 00000037 FeatureManage A   CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 6.807 seconds.

After sending a request with one of our issued JWTs. The requesting user is being recognized correctly (1@gmail.com):

ibm-fhir_1   | [11/24/21, 15:58:04:786 UTC] 0000005a Authenticatio I   CWWKS4358I: The authentication filter filter configuration was successfully processed.
ibm-fhir_1   | [11/24/21, 15:58:05:095 UTC] 0000005a FHIRRestServl I   Received request: tenantId:[default] dsId:[default] user:[1@gmail.com] method:[GET] uri:[http://ibm-fhir:9080/fhir-server/api/v4/Patient?_id=selfmeasurements-send-patient1]
ibm-fhir_1   | [11/24/21, 15:58:05:263 UTC] 0000005a FHIRRestServl I   Completed request[0.172 secs]: tenantId:[default] dsId:[default] user:[1@gmail.com] method:[GET] uri:[http://ibm-fhir:9080/fhir-server/api/v4/Patient?_id=selfmeasurements-send-patient1] status:[403]

What are we missing, do we need to take aditional steps to use the fhir-smart module?

Thanks in advance!

view this post on Zulip Lee Surprenant (Nov 24 2021 at 23:43):

Hi Sibren. I havn't gotten around to updating github.com/Alvearie/health-patterns/data-access for the latest release yet and so I think whats happening here is a version mismatch where the base fhir server is 4.9 but the interceptors are 4.10.1. ordinarily that might work, but we changed the package name for the FHIRPersistenceInterceptor interface in 4.10...which just means the ibm fhir server version really needs to match across this version boundary. if you havn't yet, please update this line to 4.10.1 and see if that clears up your issue. i'll be off the next couple days with the thanksgiving holiday, but do let us know how it goes. best of luck!

view this post on Zulip Lee Surprenant (Nov 24 2021 at 23:45):

ps. a good way to check the version of the running server is to hit the [host]/fhir-server/api/v4/metadata and look for a software version field

view this post on Zulip Sibren Talens (Nov 30 2021 at 08:53):

Hi Lee, thanks for the help! We tried running the data-access project on the 4.9.2 version (with matching userlib dependencies), but we still can't seem to find the log lines we're looking for to confirm that the fhir-smart module has been loaded properly.

We've set TRACE_SPEC="*=all" and we're looking for the log lines from the FHIRPersistenceInterceptorMgr constructor.

Is there another way to confirm that the fhir-smart module has been loaded?

view this post on Zulip Lee Surprenant (Dec 01 2021 at 16:45):

hi sibren, sorry for the delay. bumping the trace_spec seems like it should have worked, although I'd expect *=all to be SUPER noisy

view this post on Zulip Lee Surprenant (Dec 01 2021 at 16:46):

Is there another way to confirm that the fhir-smart module has been loaded?

if you make a request to a patient compartment resource without the appropriate scopes in your otherwise valid jwt ;-)

view this post on Zulip Lee Surprenant (Dec 03 2021 at 22:43):

I ran through the README at github.com/Alvearie/health-patterns/data-access today and confirmed that everything was working as expected for me. I then opened this PR to update it for the latest ibm fhir server and smart-keycloak versions: https://github.com/Alvearie/health-patterns/pull/332
Let me know if you're still having trouble...I'd like it to be pretty turn-key and so it would be interesting to see where you went wrong.

view this post on Zulip Sibren Talens (Dec 10 2021 at 13:53):

Thanks for bumping the versions!

We did manage to get our own patient scoped tokens working. We ran into trouble because we were looking for the persistence interceptors log messages, but we couldn't find them because our tokens were rejected before that by "Subject is NOT authorized to access resource fhir-server-webapp". We fixed that by updating the security role, similar to how it's configured in keycloakJwt.xml.

  <webApplication id="fhir-server-webapp">
        <application-bnd id="bind">
            <security-role id="users">
                <special-subject type="ALL_AUTHENTICATED_USERS"/>
                <special-subject type="EVERYONE"/>
            </security-role>
        </application-bnd>
    </webApplication>

We're now looking into user/person scoped tokens instead of patient scoped tokens to allow access to multiple patients with one token. If we run into issues there, we'll let you know :)

view this post on Zulip Lee Surprenant (Dec 10 2021 at 14:03):

Thanks for following up, Sibren. Glad it is finally working for you. That mapping from user principal in the JWT to a security-role in the webapp is definitely a bit tricky in Liberty.
I've mostly just looked at patient access to date, so I'm guessing you'll find gaps on the user/ scope side.
Current state:

  • you can configure keycloak to issue user/ scopes, but there's no currently established mechanism for scoping that down to a particular set of patients (e.g. based on the user's permissions)
  • fhir-smart will validate the [resourceType].[read|write] part of the user/[resourceType].[read|write] scopes, but currently it will give the user access to all such resources (doesn't scope it to the Patient.id values that are in the token like it does for the patient/ scopes).

The only way I've really used the user/ scopes to date is to grant access to resources that aren't really patient-specific (we allow patient/ scopes for those too, but I found that many in the community were using user/ scopes for those and so I added that support).

view this post on Zulip Lee Surprenant (Dec 10 2021 at 14:10):

With that said, the current behavior does support launch/patient behavior where that user has access to multiple patient records.
The "patient context picker" is used to narrow it down to just one patient (and this context is passed to the client app in the OIDC token response payload--as indicated in SMART App Launch), but the actual JWT we issue will include all Patient.id values that the user has access to (and that is what we're using to enforce access from fhir-smart). This is something I went back and forth on (and its easy to change), but I mention it here because it might be a useful example / viable approach to issuing/enforcing user/ scopes that are scoped to some subset of patients.

view this post on Zulip Lee Surprenant (Mar 22 2022 at 13:40):

@Sibren Talens <- curious for your feedback on this proposed behavior change: https://github.com/IBM/FHIR/issues/3495

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -