Broken LinksNotebooks
# Table of contents
Aidbox FHIR platform documentation
Getting Started
Tutorials
CRUD, Search Tutorials
Bulk API Tutorials
Security & Access Control Tutorials
RBAC
Terminology Tutorials
Validation Tutorials
Upload FHIR Implementation Guide
Aidbox UI
Integration Toolkit Tutorials
Other tutorials
## Overview
Aidbox user portal
Aidbox UI
## Configuration
## API
REST API
CRUD
Search
Custom Search Parameter
SearchParameter types
Search parameters list
Other
Other
Bulk API
Other APIs
Plan API
Provider Directory API
Archive/Restore API
## Modules
Profiling and validation
FHIR Schema Validator
Security & Access Control
Authentication
Access to AidboxUI
External identity providers
Authentication Flows
Access Control
Attribute-based Access Control (ABAC)
Label-based Access Control
SMART on FHIR
SMART Client Authorization
SMART Client Authentication
SMART (deprecated)
SMART on FHIR
Multitenancy
Patient data access API
Audit
Technical reference
Observability
Getting started
Logs
How-to guides
Tutorials
Technical reference
Metrics
How-to guides
Technical reference
Traces
Subscriptions
Aidbox topic-based subscriptions
Aidbox Forms
Aidbox UI Builder
Form creation
How-to guides
Printing forms
Embedding
Aidbox Code Editor (deprecated)
Define extensions
Custom Resources
Migrate to FHIR Schema
Aidbox terminology module
Concept
ValueSet
CodeSystem
Import external terminologies
SQL on FHIR
Integration toolkit
C-CDA / FHIR Converter
List of supported templates
HL7 v2 Integration
Analytics
Email Providers integration
SMARTbox | FHIR API for EHRs
Get started
The B11 Decision Support Interventions
How-to guides
Background information
Other modules
MDM
## Storage
AidboxDB
Other
S3-compatible storages
## Deployment and maintenance
Deploy Aidbox
Run Aidbox on Kubernetes
Backup and Restore
Indexes
## App development
Aidbox SDK
## Reference
Settings reference
Environment variables
Email Providers reference
Aidbox Forms reference
## Deprecated
Deprecated
Zen-related
RPC reference
aidbox
mdm
Aidbox configuration project
Aidbox Configuration project reference
US Core IG
Workflow Engine
Task
Workflow
FHIR conformance Deprecated guides
How to enable US Core IG
Terminology Deprecated Tutorials
zen-lang validator
FHIR topic-based subscriptions
API Reference
🏗️ FHIR Terminology Repository
Create an FTR instance
Entity / Attribute
Other
App Development Deprecated Tutorials
Receive logs from your app
Other Deprecated Tutorials

Set-up token introspection

Token introspection is the setup when Aidbox trusts JWT issued by external server.

In this guide external auth server URL is https://auth.example.com

JWT Token

Create TokenIntrospector

http
PUT /TokenIntrospector/external-auth-server
content-type: text/yaml

resourceType: TokenIntrospector
id: external-auth-server
type: jwt
jwt:
  iss: https://auth.example.com
  secret: very-secret

The other example would be:

html
PUT /TokenIntrospector/external-auth-server
content-type: text/yaml

resourceType: TokenIntrospector
id: external-auth-server
type: "jwt"
jwt:
  iss: <AUTH_SERVER_URL>
jwks_uri: <AUTH_SERVER_URL>/.well-known/jwks.json"

Currently we use common secret to validate our introspector works. In production installations it's better to switch to jwks_uri instead

Define AccessPolicy

http
PUT /AccessPolicy/external-auth-server
content-type: text/yaml

resourceType: AccessPolicy
id: external-auth-server
engine: json-schema
schema:
  required:
    - jwt
  properties:
    jwt:
      required:
        - iss
      properties:
        iss:
          constant: https://auth.example.com

Create User

http
PUT /User/some-user-id
content-type: text/yaml

resourceType: User
id: some-user-id
data:
  id: basic
  sub: basic
  email: basic@example.com

Validating introspector works

Build JWT

Use this tool to build your JWT. Mind the claims:

  • issuer should be https://auth.example.com
  • expiration should be in the future
  • subject should be basic (user id)
  • key should be verysecret string

Press Create Signed JWT button to get signed JWT. The generated JWT looks like this 

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2NTc4ODA4NjMsImV4cCI6MTY4OTQxNjg2MywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.TvlrkjPfNAATDW6tHOcgRh3ZNl2tYpUPkFBS_UjU6TY

Use the JWT to get the access

Make an HTTP request providing authorization header with the JWT as a Bearer token.

http
GET /fhir/Patient
Authorization: Bearer eyJ0...U6TY

Opaque Token

Create Token Introspector&x20;

with introspection_endpoint:

http
PUT /TokenIntrospector/external-auth-server
content-type: text/yaml

resourceType: TokenIntrospector
id: external-auth-server
type: opaque
introspection_endpoint:
  url: <token-introspection-endpoint>
  authorization: <authorization-header>

Create AccessPolicy

http
PUT /AccessPolicy/external-auth-server
content-type: text/yaml

engine: matcho
matcho:
  // Everything Aidbox retrieved from  introspection_endpoint
  // will be available under `token` in AccessPolicy
  token:
    active: true
resourceType: AccessPolicy

All available TokenIntrospector attributes:

TokenIntrospector resource