FHIR Server Implementation

[Anders Hansen]

Picked up the new version of the installer that runs off the HSPC stack instead of the SMART on FHIR stack.  In doing so, I noticed that the HSPC API reference implementation is only checking that the bearer token is valid, but not that it's for the correct context.  I had found that the SMART on FHIR API Server would make an introspect call to the auth server with the bearer token and be given the patient id which it used to limit access to resources (using compartments).  So if I launched my smart app under a given patient context, I could not use the bearer token from that launch to access other patients.  However, with the HSPC reference implementation, I can take the bearer token from one patient's launch and use it to access another patient.

The setup I am running locally is: installer vagrant (the clinic ehr/oauth/fhir server), smart app (web based), smart on fhir API reference implementation (my fhir server).  I'm launching my smart app from the clinic ehr and then accessing the clinic fhir server and my fhir server to present and aggregated view of the data.  On the previous installer this setup would work, because when I passed the bearer token to my fhir server it could make the introspect call to the clinic's oauth server to get the patient id that the bearer token could access.  However, using the new installer the introspect call does not return the patient id and the calls fail to the SMART on FHIR api server.  I understand that they are only reference implementations and there is a whole bunch of other stuff to figure out, just trying to prove out the mechanics of authentication and authorization.

I've been playing in the Epic and Cerner sandboxes.  I've noticed that Epic sandbox isn't using JWT tokens and was unable to find in introspect call to give me any additional context data.  The Cerner sandbox was using JWT and was embedding patient and scope information within it.  Therefore, on Cerner we wouldn't even need to make the introspect call to get the scope/patient information.  These of course are both different than the minimal bearer token with the introspect call that I saw in the original SMART on FHIR approach.

Sorry for the long lead in, hopefully this isn't all complete gibberish and some of you are still with me.  I think in the above I have two sets of challenges:

1) Authorization Context - Ignoring the fact that we have multiple FHIR servers in play for a minute.  If I am writing a FHIR server, how do I determine the correct context to perform authorization.  Should we use the introspect call like the SMART on FHIR reference implementation was doing?  Seeing the HSPC implementation was not doing this made me wonder if that's the "old way".  Maybe we should be embedding the data in the JWT payload like Cerner is doing?

2) Multiple FHIR Servers - The challenge of using the bearer token from the clinic environment and passing it into my own external FHIR server and obtaining enough information from it to do the correct authentication/authorization.  I was able to prove this in my sandbox environment using the old installer given the assumption that we had access to the clinic outh server to call introspect.  However, having access to hit the clinic's oauth server may not be realistic in a real world environment.  I believe using the openid context/id_token we can authenticate without that back channel if we have the correct keys, but then how about getting the context information (patient id) to do authorization?  With the Cerner's approach to embedding the data in their JWT token it may be enough?  However, then there is Epic which isn't using JWT tokens (at least in their sandbox environment).  Anyone have thoughts on accomplishing this?

[Josh Mandel]

Thanks for your detailed message, Anders!

Let me break out a few topics in my response.

* You've quite correctly identified a limitation in the HSPC server: it doesn't yet support enforcing access limitations by patient id. We'll work with the development team to correct this — but for now, a "workaround" (and in any case, a best practice) is for clients to include a "?patient=..." search parameter any time they intend to see results limited to a single patient record.

* Regarding your comment #1 If you're writing a SMART on FHIR EHR, it's up to you to decide what token format to use. It can be a JWT, or an opaque identifier of any kind. The only constraint is that it needs to be high-entropy enough to be non-guessable. The format of an access token is an internal decision made by the EHR system (which includes the FHIR resource server + Authorization server). As such, the only important thing is for the resource server to know how to look up a token (whether by introspection API, database lookup, or signature validation).

 * Regarding your comment #2, it sounds like you may be trying to do something quite unexpected/unsupported if you are trying to have your FHIR Resource server interpret an access token generated by some other EHR's Authorization Server. Our security model assumes that the two components of an EHR (FHIR resource server + Authorization server) are aware of each other and agree on how to interpret access tokens. Nobody else (not the app, and not some other EHR's FHIR Resource server) should be trying to interpret an access token.

I hope this helps! Please let me know if you have follow-up questions.

Best,

  Josh

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[SS]

Hi...

My requirements is we need open source fhir server with outh2 authentication...

As we have .net application we are integrating Fhir.STU3 NuGet package in our application for resources creation on FHIR server.

As we tried for vonk server but currently vonk don't have smart future.

So by HSPC sandbox how I can achieve same.

Is there any way to create smart FHIR server by HSPC sandbox and on that FHIR server we create resources also if it's possible to create FHIR server how I can achieve smart feature.

Help is greatly appreciated...