Smile Script
Octavis Uberstine
The Smile CDR Inbound and Outbound Security modules support a JavaScript based callback API that can be used to add custom logic to the authentication and authorization process. Callback scripts have the right to examine authentication requests, enhance or restrict the corresponding user session, and even reject the authentication entirely.
Callback scripts in security modules can use the documented JavaScript Execution Environment APIs. However in cases where a security module does NOT have a FHIR Storage module dependency configured, the following APIs will NOT be available in callback scripts:
This function applies to all security modules with the exception of non-federated SMART Outbound module implementations. In the case of a Federated SMART Outbound module implementation, this method would be implemented as part of an OIDC Server definition used with the Federated SMART Outbound module.
The onAuthenticateSuccess method is invoked after a user has successfully authenticated with an inbound security module. In other words, this is invoked after a user's credentials have been validated and a set of user details (potentially including the user's name, permissions, etc.) has been assembled.
Typically, it is sufficient to simply return the authorization outcome that was already generated by the system as shown above. It is also possible to modify the authorization. The most common use case is to add or remove permissions based on some criteria.
Note the properties that may optionally be populated on the failure object. These properties supply additional details about the failure and can be useful for troubleshooting; however, they are not required to be populated. A failure object with no properties is still treated as a normal authentication failure.
Some solutions may have custom authorization needs that do not map easily to existing authorities or roles.For these cases, the UserSessionDetails object exposes a userData key/value collection similarly to FHIR resources.For example, a SMART inbound hook can inspect custom claims and set user data:
The following example simply assigns a superuser permissions to the user. This might be appropriate if all users of an application should have access to all data. You could also decide which permissions to add based on other properties of the authentication.
The following example assumes that an external OIDC server has been configured to issue access tokens that will be consumed by the SMART Inbound Security module. In order to convey the identity of the authorized patient, the OIDC server in this example has been configured to include a claim called patient, which will include the resource ID for the Patient resource corresponding to the authenticated user.
The SMART Inbound Security module expects a list of approved scopes to be included in the Access Token JWT in a claim called "scope", as described in the JSON Web Token (JWT) Profile for OAuth2 2.0 Access Tokens specification.
If present in the Post-Authorize Script defined in the SMART Outbound Security module, the onAuthenticateSuccessClientCredentials function will be called after a client has authenticated using the Client Credentials with JWT Credential flow. It can be used to add additional authorities to the client's authenticated session.
If present in the Post-Authorize Script defined in the SMART Outbound Security module, the onSmartLoginPreContextSelection function will be called after the user has authenticated. It should supply the context choices that will be presented to the user. See SMART on FHIR Outbound Security Module: Context Selection for more information on this flow.
If Enforce Approved Scopes to Restrict Permissions is enabled, this function is called immediately after the built-in logic is applied in order to automatically narrow scopes. If this setting is disabled, then the function will be called instead of the built-in logic.
For example: Suppose you wanted to allow the user to invoke a custom operation called Patient/$foo, and you have therefore granted the user the FHIR_EXTENDED_OPERATION_ON_TYPE/Patient/$foo permission. The SMART framework does not provide any built-in scopes which allow a client to request access to this operation. So, a script could be used to automatically grant this permission based on an approved scope, or based on the existence of another authority.
The onTokenGenerating function is called immediately before an access token is generated following a successful authentication. It is primarily used in order to customize the SMART launch context(s) associated with a particular session (ie. because the launch context is maintained in a third-party application and needs to be looked up during the auth flow).
The onTokenGenerating callback executes after the user has approved any scopes, but before the user's session is actually created. The callback can examine the approved scope list, as well as modifying it. The following example shows several scope manipulation methods.
Once the onTokenGenerating callback executes, it is now possible to access to the OIDC client ID from the UserSession and audience from the AuthorizationRequestDetails, as well as other initial OAuth2 request parameters.
This example adds a custom claim to the Access Token and a custom value to the Token Response. See the Extract JWT Claim into Authorities and UserData example above to see an example of populating the client session UserData value that is used by this script.
The onPostAuthorize function is invoked any time that an authorization has succeeded. This function is invoked after the token is generated and should not be used to cancel or modify the authorization.
By default, Smile CDR generates local usernames by appending issuer and subject. This behavior can be customized by supplying a custom username mapping. This mapping receives Access token claims and server info.
Dazai took his copy of the script from one of the studio crew, turning his eyes down on the paper to start reading the content, searching for his lines and by the time he was only at the middle part of the script, he pulled his face away with a puzzled expression.
Introducing the exquisite Pretty Pink Posh Large Smile Script Hot Foil Plate! Crafted from high-quality 100% steel, this die set is ideal for a wide range of creative projects, including scrapbooking and paper crafts. The Smile script measures approximately 2.81 inches.
This premium product is proudly made in the USA. The hot foil plates are meticulously manufactured using top-grade steel and are compatible with most hot foil machines, ensuring seamless integration into your crafting process.
Elevate your designs with the elegant and beautiful script of the Large Smile Hot Foil Plate. With its precision and durability, this hot foil plate will add a touch of sophistication to your creations. Let your creativity shine and make a statement with Pretty Pink Posh!
[Eddy looks up mournfully. He is in the music room as Edd takes out a xylophone.]
Eddy: "I can't give this to my mom! I look like I'm getting my temperature taken!"
Edd: "Surely it isn't that bad, Eddy." [Eddy shows him the photo.] "Isn't your mother farsighted?"
[Ed uses his tongue to grab the picture.]
Ed: "Aw, you look like an onion! Mom loves onions!"
Eddy: "Oh, I'll give you an onion!"
[Eddy grabs the picture and slumps, unwilling to follow up on his threat. Ed opens his mouth for the onion.]
Eddy: [despondent] "Oh, I was so close. I could almost smell my brother's stuffed camel."
[The door opens and the teacher walks in. All the kids ready their instruments, except Eddy, who groans and leans on his stand, despairing.]
Edd: [handing Eddy a triangle] "The teacher's watching us, Eddy."
[The teacher starts a metronome, and the kids begin to play poorly.]
Edd: "You know, Eddy, I am in the photography club. I'll just retake your photo durning lunch."
[Eddy sits up and begins to smile. He plays the triangle with more aplomb.]
Eddy: "I like that. It'll be like this bunk photo never existed." [He walks over to Ed.] "Hey Charlie-the-Birdbrain-Parker, eat this." [He stuffs the photo in Ed's mouth.]
Ed: "Thanks Eddy."
[Ed is chewing when the teacher points at him, indicating he should be playing his sax. Hurried, Ed fumbles with it and ends up blowing into the wrong end. The pressure builds, and the crumpled, wet paper shoots out of that end, landing on Kevin's drums. Kevin at first doesn't notice, but in a few seconds he sees that a wet paper is wrapped around one of his drumsticks. He spreads it out on a cymbal, revealing Eddy's face.]
Kevin: [to Nazz and Rolf] "Psst. Get a load of prune face."
[Kevin spins the cymbal so that Nazz and Rolf can take a look at the horrible picture.]
Rolf: "Rolf has seen prunier."
The script can easily be dropped into any project. Make sure you have the Plugin (from LeapDeveloperKit_2.1.0+18736_win\LeapSDK\lib\UnityAssets) as part of your plugins folder, and attach the C# script to any object in your scene to act as "The Leap" parent where all your tracked points will come from.
This is amazing! My team and I are trying to create a VR game with gun tracking and are currently using this wonderful script. The only problem is it creates a lot of lag, the profiler in unity shows the update function taking up 80% usage. Any ideas on how to fix this?
Ah, that was due to a recent update making the "Rectify" function in the Leap SDK ridiculously slow; I was calling it for each pixel to increase precision. At the cost of a little precision, I can make it so it only calls the function once per blob.
Hi Zalo i'm fairly new to Leap motion and unity programing and use playmaker in Unity with Oculus Rift for development purposes, your tracking system seem ideal for me as i dont need the Leap fingers just a Vector3 position in time and space to control an already animated fencers hand (sword ), marker tracking may be the key to the accuracy problem , this post is quite dated now, does it still work or is there an updated version ! Best Drysdale
c80f0f1006