Considerations for Testing with Inferno ONC

Mandatory software components & configurations

Mandatory software components

Aidbox minimum installation consists of two mandatory components:

  1. PostreSQL relations database management system as data persistence layer
  2. Aidbox itself configured working to the PostgreSQL

PostgreSQL

As an Aidboxdb docker container can be got here. It has all necessary extensions on board.

Aidbox

The powerful FHIR-server. It also supports SMART on FHIR authorization flow.

Aidbox is distributed as a Docker container:

Mandatory software configurations

Aidbox

It could be configured in many ways.

Main configuration aspects:

  • S3 account & bucket should be prepared as Aidbox uploads exported data to the bucket
  • Aidbox should be configured as a zen-project

TLS for HTTP

ONC Inferno requires certain TLS version usage over HTTP requests. The allowed versions are v1.2+.

Technical requirements and attributes necessary for registration

confidential and public applications

There are two types of the applications using SMART on FHIR API:

  • confidential apps are able to protect issued secrets
  • public ones are not able to do it

confidential application

PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml

id: inferno-g10-client
resourceType: Client
secret: some-very-secret
grant_types:
  - authorization_code
  - basic                          # used to exchange authorization_code for access_token
auth:
  authorization_code:
    pkce: false                    # no PKCE allowed
    audience:
      - https://cmpl.aidbox.app/smart
    redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
    refresh_token: true
    secret_required: true          # secret is allowed
    access_token_expiration: 3600  # 1 hour
smart:
  launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

public application

public, which don't have backend service and are not able to keep secret securely, shouldn't have secret, basic grant type and auth.authorization_code.secret_required should be disabled. Example:

PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml

id: inferno-g10-client
resourceType: Client
grant_types:
  - authorization_code
auth:
  authorization_code:
    pkce: true                    # PKCE is activated
    audience:
      - https://cmpl.aidbox.app/smart
    redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
    refresh_token: true
    secret_required: false        # secret is disabled
    access_token_expiration: 3600 # 1 hour
smart:
  launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

bulk client for back-end application

Client example for bulk application.

PUT /Client/inferno-g10-bulk-client
content-type: text/yaml
accept: text/yaml

id: inferno-g10-bulk-client
resourceType: Client
type: bulk
grant_types:
  - client_credentials
auth:
  client_credentials:
    client_assertion_types:
      - urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    access_token_expiration: 300 # 5 minutes
scope:
  - system/*.read
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json

Expanding scope

scope are used to let SMART on FHIR know what resources an application needs to have access to. scope can be defined in two ways:

  1. Exact resource name like patient/Device.read. In this case read access to the Device is requested
  2. Wildcard definition like patient/*.read says all the patients resources read access requested

How Aidbox expands wildcard * scope

patient/*.read expands to:

  • patient/Patient.read
  • patient/AllergyIntolerance.read
  • patient/CarePlan.read
  • patient/CareTeam.read
  • patient/Condition.read
  • patient/Device.read
  • patient/DiagnosticReport.read
  • patient/DocumentReference.read
  • patient/Goal.read
  • patient/Encounter.read
  • patient/Immunization.read
  • patient/MedicationRequest.read
  • patient/Observation.read
  • patient/Procedure.read
  • patient/Provenance.read
  • patient/Practitioner.read
  • patient/Organization.read
  • patient/Location.read

user/*.read expands to:

  • user/Patient.read
  • user/AllergyIntolerance.read
  • user/CarePlan.read
  • user/CareTeam.read
  • user/Condition.read
  • user/Device.read
  • user/DiagnosticReport.read
  • user/DocumentReference.read
  • user/Goal.read
  • user/Encounter.read
  • user/Immunization.read
  • user/MedicationRequest.read
  • user/Observation.read
  • user/Procedure.read
  • user/Provenance.read
  • user/Practitioner.read
  • user/Organization.read
  • user/Location.read

system/*.read expands to:

  • system/Patient.read
  • system/AllergyIntolerance.read
  • system/CarePlan.read
  • system/CareTeam.read
  • system/Condition.read
  • system/Device.read
  • system/DiagnosticReport.read
  • system/DocumentReference.read
  • system/Goal.read
  • system/Encounter.read
  • system/Immunization.read
  • system/MedicationRequest.read
  • system/Observation.read
  • system/Procedure.read
  • system/Provenance.read
  • system/Practitioner.read
  • system/Organization.read
  • system/Location.read