smart.user.read() failure
125 views
Skip to first unread message
makiaht...@gmail.com
Jul 11, 2017, 10:08:22 PM7/11/17
to SMART on FHIR
Hi all,
I've been puzzling over an extremely irritating error in the SMART javascript client, of which I unfortunately have had zero success on fixing. I've turned to the forums in case this error is a fundamental misunderstanding on my part.
Inside FHIR.oauth2.ready, I'm authenticated with the appropriate scopes "launch patient/*.* openid profile", the latter two of which provide me (or should provide me) with the user data, according to the specification. (The former scope works perfectly, at least, and I can read patient scoped data through a simple smart.patient.read) Upon running smart.user.read() however, I receive nothing in turn, despite the existence of a userId variable (the profile for the user). After a harrowing search, I found the part of the client which controls this and found that the request for the resource (which "should be treated as a FHIR resource" according to the specification) is failing, despite the existence of the id_token variable, which when decoded via jwt does provide me with my user data. Although I could manually decode this token in my client code, that go against the SMART specification for security.
Is there a step before user access that I am missing, or is there a fundamental misunderstanding going on here (I'm using the SMART sandbox by the way)? Any help is appreciated.
Vladimir Ignatov
Jul 12, 2017, 2:13:50 PM7/12/17
to makiaht...@gmail.com, SMART on FHIR
Hi,
This is actually an issue with the sandbox and not the client library. The id_token that you are given does not contain the correct data and this means that user-scoped apps are not working.
This is pretty important and as far as I know it is currently being fixed. We will let you know as soon as we have a working version.
Thanks,
Vlad
--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Makiah Bennett
Jul 12, 2017, 3:10:10 PM7/12/17
to Vladimir Ignatov, SMART on FHIR
Hi Vladimir,
That is a huge relief, thanks for the clarification!
Best,
Makiah
Travis Cummings
Jul 13, 2017, 10:33:45 PM7/13/17
to Makiah Bennett, Vladimir Ignatov, SMART on FHIR
The sandbox issuing id tokens has been fixed. However, you will only get valid values for the id token if you are launching your app using a launch scenario. This is because a launch scenario will have a simulated clinical user (a persona) while launching your app from the registered apps screen will actually launch using your personal login (and that has no associated practitioner record).
Travis
Sent from my iPhone
Sent from my iPhone
Max Gerlach
Jul 14, 2017, 9:29:46 AM7/14/17
to SMART on FHIR, makiaht...@gmail.com, vlad.i...@gmail.com
Travis,
Could you explain to me how a launch scenario differs from going into the 'Registered Apps' tab and clicking on the 'Launch' button by my application?
Thanks,
Max
Could you explain to me how a launch scenario differs from going into the 'Registered Apps' tab and clicking on the 'Launch' button by my application?
Thanks,
Max
Travis Cummings
Jul 14, 2017, 5:07:20 PM7/14/17
to Max Gerlach, SMART on FHIR, makiaht...@gmail.com, vlad.i...@gmail.com
Hi Max,
The registered apps section of the sandbox is for managing your app registrations. It also offers limited launch simulation of your app, meaning, it launches with yourself (your login) as the user and no patient in context. Because it is using yourself as the user, you have no Practitioner FHIR resource associated with your account.
The launch scenarios section of the sandbox is for creating reusable, fully simulated app launches. In a launch scenario, you select a persona (a persona is a login for a Patient or a Practitioner FHIR resource), an optional patient context, and an app. This scenario can be easily launched repeatedly. Because a launch scenario uses a persona with a Patient or Practitioner FHIR resource, a meaningful id_token can be provided to the app.
Thanks,
Travis
Dustin Riley
Sep 20, 2017, 9:38:24 AM9/20/17
to SMART on FHIR
Hi Travis,
Was this a recent fix? Even using a launch scenario I'm still getting an error with smart.user.read() even when using a launch scenario, whereas on other providers' sandboxes I'm not having the error. The userId in the context is also null in the smart health sandbox, and not so in others.
Thank you,
Dustin
Travis Cummings
Sep 21, 2017, 12:01:05 AM9/21/17
to Dustin Riley, SMART on FHIR
Hi Dustin,
Could you please invite me to your sandbox and let me know which launch scenario can replicate the problem?
We have a fix pending for the Registered Apps section, but the Launch Scenarios section should work correctly.
Travis
Travis Cummings
Sep 21, 2017, 12:02:35 AM9/21/17
to Dustin Riley, SMART on FHIR
Hey Dustin,
Sorry I was thinking of a different sandbox that had invite capabilities. Is there a way to can let me see the issue you are having? I believe it works from the launch scenarios.
Travis
Travis Cummings
Sep 21, 2017, 1:38:10 AM9/21/17
to Dustin Riley, SMART on FHIR
Here is what I see if I run an app that has scopes "openid profile":
In the call to https://sb-auth.smarthealthit.org/token:
{
"access_token":"...",
"token_type":"Bearer",
"expires_in":86399,
"scope":"smart/orchestrate_launch openid user/*.* profile",
"id_token":"eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0cmF2aXN0Y3VtbWluZ3NAeWFob28uY29tIiwiYXVkIjoic2FuZF9tYW4iLCJvcmdhbml6YXRpb25OYW1lIjoiVUJobnBDY3UwcTA2a0Y4TEo5endmdEd5cnBxRXVjMEYiLCJkaXNwbGF5TmFtZSI6IlRyYXZpcyBDdW1taW5ncyIsInByb2ZpbGUiOiJEWU12bWh5VXpzOUcwNHA1YmMwbiIsImtpZCI6InJzYTEiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZyIsImV4cCI6MTUwNTk3MDgzNCwiaWF0IjoxNTA1OTcwMjM0LCJlbWFpbCI6bnVsbH0.R34wwatbJOsvFdkGUuiL_AmSFLjjdBEqK3rTJH4IsZuS-StJQCylMYHLiKMCIUA9yFPIzbRoEeLvlJnJWMXApwJ6rbeFPdKWljdZ7YdfSrknhkQc5hX535KPwtP3-g41C_m-DLm6kYF3zNoNHJe6rWx6uJgTr01RCH22TOm421vnuH8o2H9iUHlCXQBRZx-0GL_e0HXRCNl5E8ju9Fp6AGEXmvCxAsZraCzsCtVGR33EJMIjd99issm7LKYsVpgfhkK76QzkxTSTeC0AuH6vqr8X-tYx8NBVUpfncaNtIItnVMR_1VPVkvcjWQn4ArZNNPrpdRnv2Q9uEWcaTWNH3w"}
And if you decode that id_token (at https://jwt.io/) you can see:
{
"sub": "kathy1@smartdstu2",
"aud": "hspc_appointments",
"organizationName": null,
"displayName": "Kathy Fielding, MD",
"profile": "Practitioner/COREPRACTITIONER4",
"kid": "rsa1",
"iss": "https://sb-auth.smarthealthit.org",
"exp": 1505970921,
"iat": 1505970321,
"email": "kathy1@smartdstu2"
}
It appears that the fhir_client.js correctly assigns this value to the user property on read.
Can you please let me know what version of the fhir_client.js you are using?
Can you explain your launch scenario further, possibly sharing with me your app registration information so I can debug the launch?
Thanks,
Travis
Reply all
Reply to author
Forward
0 new messages