Query Regarding Consistency of sim Code in SMART Sandbox

56 views
Skip to first unread message

Purushothaman B

unread,
Jan 29, 2025, 4:52:42 AMJan 29
to SMART on FHIR

I am working on integrating my application with the SMART on FHIR Sandbox and noticed that the sim code in the aud parameter appears to remain consistent across sessions when using the same configurations in the SMART App Launcher. For example, when I use the Provider Standalone Launch type with no specific Patient(s) or Provider(s) selected, the same sim code is generated each time.

I have a few questions regarding this behavior:

  1. Is the sim code guaranteed to remain the same for identical configurations, or are there scenarios where it might change?
  2. Would you recommend dynamically extracting the sim code from the aud parameter in my app, or is it safe to use a hardcoded value for testing purposes?

Vladimir Ignatov

unread,
Jan 29, 2025, 3:46:39 PMJan 29
to Purushothaman B, SMART on FHIR
Hi,

You are correct to point out that the sim parameter remains consistent for any given configuration. The SMART launcher supports a number of configuration parameters controlling how the server will “behave” when launching your app. What happens is that all those special parameters are compressed and then base64-encoded to be used as URL segment. This way we can provide you a server URL that appears to be static, but it has some “behavior instructions” built into it.

  1. Is the sim code guaranteed to remain the same for identical configurations, or are there scenarios where it might change?
Yes, it will remain the same unless you change settings which would generate new sim. However, It might change if we update the launcher. This is a proprietary feature which usually changes every time we update the supported configuration options, or if we introduce new ones.

  1. Would you recommend dynamically extracting the sim code from the aud parameter in my app, or is it safe to use a hardcoded value for testing purposes?
You can even remove it if you don’t need it. For example the url https://launch.smarthealthit.org/v/r4/sim/WzIsIiIsIiIsIkFVVE8iLDAsMSwwLCIiLCIiLCIiLCIiLCJhdXRoX2ludmFsaWRfY2xpZW50X2lkIiwiIiwiIiwwLDEsIiJd/fhir is a customized version of the default fhir base url https://launch.smarthealthit.org/v/r4/fhir. However, I wouldn’t recommend using that for automated testing unless you are running your own version of the launcher locally, as we can change this at any time.

In other words, the hierarchy of URLs that you may consider are:
  1. https://r4.smarthealthit.org/ - Open FHIR server (no authentication required)
  2. https://launch.smarthealthit.org/v/r4/fhir - Requires auth, then proxies to server #1 above
  3. https://launch.smarthealthit.org/v/r4/sim/..../fhir - Generated by the launcher. Injects some options, requires auth, then proxies to server #1 above

Best,
Vlad

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/smart-on-fhir/3235e4a1-d986-4223-b6c4-9a073def9e73n%40googlegroups.com.

Purushothaman B

unread,
Jan 30, 2025, 12:25:53 AMJan 30
to SMART on FHIR

Dear SMART on FHIR Team,

I am currently working on integrating my application with the SMART on FHIR Sandbox and have encountered an issue when trying to generate an authorization code using the /authorize endpoint. i.e., https://launch.smarthealthit.org/v/r4/authorize

When I use the following authorization request:

https://launch.smarthealthit.org/v/r4/authorize?response_type=code&client_id=example&redirect_uri=http://localhost:5000/auth&scope=patient/Encounter.read patient/Observation.read user/. launch/patient launch/encounter openid fhirUser profile offline_access&aud=https://launch.smarthealthit.org/v/r4/fhir&state=123

I receive a "Not Found" error, even though I use the encoded one. It is not being redirected to the authentication page.

Additionally, when I use the /authorize-app endpoint with the sim code, the authorization workflow works correctly:

https://launch.smarthealthit.org/authorize-app?response_type=code&client_id=example&redirect_uri=http://localhost:5000/auth&scope=patient/Encounter.read%20patient/Observation.read%20user/.%20launch/patient%20launch/encounter%20openid%20fhirUser%20profile%20offline_access&aud=https://launch.smarthealthit.org/v/r4/sim/WzIsIiIsIiIsIkFVVE8iLDAsMCwwLCIiLCIiLCIiLCIiLCIiLCIiLCIiLDAsMSwiIl0/fhir&state=12345

However, I am unsure if this behavior is expected, or if I should be able to use the /authorize endpoint as well.  
I have verified that redirect_uri match the ones configured in the SMART Launcher.

Questions:
  1. Is the /authorize endpoint still functional for SMART authentication flows, or should /authorize-app always be used?
  2. If /authorize-app is required, does it always require a sim code, or can it function without one?
  3. Are there any specific requirements for aud when using /authorize versus /authorize-app?

I would appreciate any guidance on resolving this issue, as we are preparing for deployment in the coming days.

Looking forward to your response.

Thank you,
Best regards,
Purushothaman B

Reply all
Reply to author
Forward
0 new messages