Considerations for Testing with Inferno ONC
Mandatory software components & configurations
Mandatory software components
Aidbox minimum installation consists of two mandatory components:
- PostreSQL relations database management system as data persistence layer
- Aidbox itself configured working to the
PostgreSQL
PostgreSQL
As an Aidboxdb
docker container can be got here. It has all necessary extensions on board.
Aidbox
The powerful FHIR-server. It also supports SMART on FHIR
authorization flow.
Aidbox is distributed as a Docker container:
Mandatory software configurations
Aidbox
It could be configured in many ways.
Main configuration aspects:
- S3 account & bucket should be prepared as Aidbox uploads exported data to the bucket
- Aidbox should be configured as a zen-project
TLS for HTTP
ONC Inferno requires certain TLS version usage over HTTP requests. The allowed versions are v1.2+.
Technical requirements and attributes necessary for registration
confidential
and public
applications
There are two types of the applications using SMART on FHIR API:
confidential
apps are able to protect issued secretspublic
ones are not able to do it
confidential
application
PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml
id: inferno-g10-client
resourceType: Client
secret: some-very-secret
grant_types:
- authorization_code
- basic # used to exchange authorization_code for access_token
auth:
authorization_code:
pkce: false # no PKCE allowed
audience:
- https://cmpl.aidbox.app/smart
redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
refresh_token: true
secret_required: true # secret is allowed
access_token_expiration: 3600 # 1 hour
smart:
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch
public
application
public
, which don't have backend service and are not able to keep secret securely, shouldn't have secret, basic grant type and auth.authorization_code.secret_required
should be disabled. Example:
PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml
id: inferno-g10-client
resourceType: Client
grant_types:
- authorization_code
auth:
authorization_code:
pkce: true # PKCE is activated
audience:
- https://cmpl.aidbox.app/smart
redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
refresh_token: true
secret_required: false # secret is disabled
access_token_expiration: 3600 # 1 hour
smart:
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch
bulk
client for back-end
application
Client example for bulk
application.
PUT /Client/inferno-g10-bulk-client
content-type: text/yaml
accept: text/yaml
id: inferno-g10-bulk-client
resourceType: Client
type: bulk
grant_types:
- client_credentials
auth:
client_credentials:
client_assertion_types:
- urn:ietf:params:oauth:client-assertion-type:jwt-bearer
access_token_expiration: 300 # 5 minutes
scope:
- system/*.read
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json
Expanding scope
scope
are used to let SMART on FHIR
know what resources an
application needs to have access to. scope
can be defined in two ways:
- Exact resource name like
patient/Device.read
. In this caseread
access to theDevice
is requested - Wildcard definition like
patient/*.read
saysall
the patients resourcesread
access requested
How Aidbox expands wildcard *
scope
patient/*.read
expands to:
patient/Patient.read
patient/AllergyIntolerance.read
patient/CarePlan.read
patient/CareTeam.read
patient/Condition.read
patient/Device.read
patient/DiagnosticReport.read
patient/DocumentReference.read
patient/Goal.read
patient/Encounter.read
patient/Immunization.read
patient/MedicationRequest.read
patient/Observation.read
patient/Procedure.read
patient/Provenance.read
patient/Practitioner.read
patient/Organization.read
patient/Location.read
user/*.read
expands to:
user/Patient.read
user/AllergyIntolerance.read
user/CarePlan.read
user/CareTeam.read
user/Condition.read
user/Device.read
user/DiagnosticReport.read
user/DocumentReference.read
user/Goal.read
user/Encounter.read
user/Immunization.read
user/MedicationRequest.read
user/Observation.read
user/Procedure.read
user/Provenance.read
user/Practitioner.read
user/Organization.read
user/Location.read
system/*.read
expands to:
system/Patient.read
system/AllergyIntolerance.read
system/CarePlan.read
system/CareTeam.read
system/Condition.read
system/Device.read
system/DiagnosticReport.read
system/DocumentReference.read
system/Goal.read
system/Encounter.read
system/Immunization.read
system/MedicationRequest.read
system/Observation.read
system/Procedure.read
system/Provenance.read
system/Practitioner.read
system/Organization.read
system/Location.read