Broken LinksNotebooks
# Table of contents
Aidbox FHIR platform documentation
Getting Started
Tutorials
CRUD, Search Tutorials
Bulk API Tutorials
Security & Access Control Tutorials
RBAC
Terminology Tutorials
Validation Tutorials
Upload FHIR Implementation Guide
Aidbox UI
Integration Toolkit Tutorials
Other tutorials
## Overview
Aidbox user portal
Aidbox UI
## Configuration
## API
REST API
CRUD
Search
Custom Search Parameter
SearchParameter types
Search parameters list
Other
Other
Bulk API
Other APIs
Plan API
Provider Directory API
Archive/Restore API
## Modules
Profiling and validation
FHIR Schema Validator
Security & Access Control
Authentication
Access to AidboxUI
External identity providers
Authentication Flows
Access Control
Attribute-based Access Control (ABAC)
Label-based Access Control
SMART on FHIR
SMART Client Authorization
SMART Client Authentication
SMART (deprecated)
SMART on FHIR
Multitenancy
Patient data access API
Audit
Technical reference
Observability
Getting started
Logs
How-to guides
Tutorials
Technical reference
Metrics
How-to guides
Technical reference
Traces
Subscriptions
Aidbox topic-based subscriptions
Aidbox Forms
Aidbox UI Builder
Form creation
How-to guides
Printing forms
Embedding
Aidbox Code Editor (deprecated)
Define extensions
Custom Resources
Migrate to FHIR Schema
Aidbox terminology module
Concept
ValueSet
CodeSystem
Import external terminologies
SQL on FHIR
Integration toolkit
C-CDA / FHIR Converter
List of supported templates
HL7 v2 Integration
Analytics
Email Providers integration
SMARTbox | FHIR API for EHRs
Get started
The B11 Decision Support Interventions
How-to guides
Background information
Other modules
MDM
## Storage
AidboxDB
Other
S3-compatible storages
## Deployment and maintenance
Deploy Aidbox
Run Aidbox on Kubernetes
Backup and Restore
Indexes
## App development
Aidbox SDK
## Reference
Settings reference
Environment variables
Email Providers reference
Aidbox Forms reference
## Deprecated
Deprecated
Zen-related
RPC reference
aidbox
mdm
Aidbox configuration project
Aidbox Configuration project reference
US Core IG
Workflow Engine
Task
Workflow
FHIR conformance Deprecated guides
How to enable US Core IG
Terminology Deprecated Tutorials
zen-lang validator
FHIR topic-based subscriptions
API Reference
πŸ—οΈ FHIR Terminology Repository
Create an FTR instance
Entity / Attribute
Other
App Development Deprecated Tutorials
Receive logs from your app
Other Deprecated Tutorials

Set up SMART on FHIR in Aidbox

SMART on FHIR specifies authentication/authorization scheme for FHIR Applications. This scheme extends OAuth 2.0 and OpenID. To enable SMART on FHIR you need to create an Aidbox configuration project and configure SMART API routes using the API constructor (beta).

You can use the configuration provided in the Aidbox project samples repo.

Set Up Aidbox Project

Clone the Aidbox project samples repo:

shell-session
$ git clone https://github.com/Aidbox/aidbox-project-samples.git

In the aidbox-project-samples/smart-on-fhir/core.edn file you can see example of the API constructor configuration.

Currently only two middlewares for SMART on FHIR authorization are implemented:

  • :smart.fhir/singlepatientauthmiddleware β€” Patient launch
  • :smart.fhir/authorizationmiddleware β€” Provider launch

Create Resources

To use SMART on FHIR you need to create a few resources like Client and AccessPolicies

Client

Let's create an Aidbox Client:

yaml
POST /Client
Content-Type: text/yaml
Accept: text/yaml

resourceType: Client
id: smart-client
secret: some-secret
auth:
  authorization_code:
    redirect_uri: https://your/redirect/uri
    refresh_token: true
    secret_required: true
    access_token_expiration: 36000
smart:
  launch_uri: https://your/launch/uri
grant_types:
  - authorization_code

The launch_uri parameter here specifies the launch URI for the EHR-based SMART App launch.

Access Policies

You likely want to add some Access Control to allow users see their data. Here we provide some examples for reference:

yaml
PUT /
Content-Type: text/yaml
Accept: text/yaml

# Allow patients to search resources linked with them
- resourceType: AccessPolicy
  engine: matcho
  matcho:
    uri: '#/smart/.*'
    params:
      patient: .role.links.patient.id
  roleName: patient
  id: patient-smart

# Allow patients to read their info
- resourceType: AccessPolicy
  engine: matcho
  matcho:
    uri: '#/smart/Patient/.*'
    params:
      id: .role.links.patient.id
  roleName: patient
  id: smart-patient-read

# Allow patients to read their info
- resourceType: AccessPolicy
  engine: matcho
  matcho:
    uri: '#/smart/Patient'
    params:
      _id: .role.links.patient.id
  roleName: patient
  id: smart-patient-search-self

Generate Launch URI for EHR Launch Sequence

To generate SMART App launch URI use RPC API method aidbox.smart/get-launch-uri. The method accepts the following arguments:

  • user: id of the User resource
  • iss: Aidbox base URL
  • client: id of the Client resource
  • ctx: additional launch contextΠΎ
  • patient: id of Patient resource
  • encounter: id of Encounter resource
  • fhirContext: array of objects referring to any resource type other than Patient or Encounter (see more details)

Standalone Launch

Standalone launch sequence.png>)

Authorization code flow with SMART on FHIR Standalone Launch:

  • App requests SMART configuration from baseurl/.wellknown/smartconfiguration
  • App requests FHIR conformance statement from baseurl/metadata
  • App redirects to the EHR Authorization endpoint providing extra parameters:
  • scope: OAuth scopes including scopes defined by SMART on FHIR
  • aud: FHIR Server base url
  • Authorization server checks asks user to grant access to resources requested by the App and redirects to the App with code
  • App exchanges code for token using the token endpoint
  • App uses the token for resource access

EHR Launch

EHR Launch Sequence (1) (1).png>)

Authorization code flow with SMART on FHIR EHR Launch:

  • EHR redirects to the App Launch URI (which is generated using Aidbox RPC)
  • App requests SMART configuration from baseurl/.wellknown/smartconfiguration
  • App requests FHIR conformance statement from baseurl/metadata
  • App redirects to the EHR Authorization endpoint providing extra parameters:
  • scope: OAuth scopes including scopes defined by SMART on FHIR
  • aud: FHIR Server base url
  • Authorization server checks asks user to grant access to resources requested by the App and redirects to the App with code
  • App exchanges code for token using the token endpoint
  • App uses the token for resource access

The result of the exchanging of the code for token is a JSON object containing at least:

  • access_token. The access token issued by the authorization server
  • token_type. Fixed value: Bearer
  • scope. Scope of access authorized

More details can be found here

Inferno tests

The SMART on FHIR sample in the Aidbox Project Samples is ready to pass the Inferno ONC Program and most of the Inferno Community SMART on FHIR tests. Follow the README in the Aidbox Project Samples repository to set up Aidbox for running these tests.