Considerations for Testing with Inferno ONC

Mandatory software components & configurations

Mandatory software components

Aidbox minimum installation consists of two mandatory components:

  1. 1.
    PostreSQL relations database management system as data persistence layer
  2. 2.
    Aidbox itself configured working to the PostgreSQL

PostgreSQL

As an Aidboxdb docker container can be got here . It has all necessary extensions on board.

Aidbox

The powerful FHIR-server . It also supports SMART on FHIR authorization flow.

Aidbox is distributed as a Docker container:

Mandatory software configurations

Aidbox

Main configuration aspects:

  • S3 account & bucket should be prepared as Aidbox uploads exported data to the bucket
  • Aidbox should be configured as a zen-project

TLS for HTTP

ONC Inferno requires certain TLS version usage over HTTP requests. The allowed versions are v1.2+.

Technical requirements and attributes necessary for registration

confidential and public applications

There are two types of the applications using SMART on FHIR API:

  • confidential apps are able to protect issued secrets
  • public ones are not able to do it

confidential application

PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml

id: inferno-g10-client
resourceType: Client
secret: some-very-secret
grant_types:
  - authorization_code
  - basic                          # used to exchange authorization_code for access_token
auth:
  authorization_code:
    pkce: false                    # no PKCE allowed
    audience:
      - https://cmpl.aidbox.app/smart
    redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
    refresh_token: true
    secret_required: true          # secret is allowed
    access_token_expiration: 3600  # 1 hour
smart:
  launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

public application

public, which don't have backend service and are not able to keep secret securely, shouldn't have secret, basic grant type and auth.authorization_code.secret_required should be disabled. Example:

PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml

id: inferno-g10-client
resourceType: Client
grant_types:
  - authorization_code
auth:
  authorization_code:
    pkce: true                    # PKCE is activated
    audience:
      - https://cmpl.aidbox.app/smart
    redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
    refresh_token: true
    secret_required: false        # secret is disabled
    access_token_expiration: 3600 # 1 hour
smart:
  launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

bulk client for back-end application

Client example for bulk application.

PUT /Client/inferno-g10-bulk-client
content-type: text/yaml
accept: text/yaml

id: inferno-g10-bulk-client
resourceType: Client
type: bulk
grant_types:
  - client_credentials
auth:
  client_credentials:
    client_assertion_types:
      - urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    access_token_expiration: 300 # 5 minutes
scope:
  - system/*.read
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json

Expanding scope

scope are used to let SMART on FHIR know what resources an application needs to have access to. scope can be defined in two ways:

  1. 1.
    Exact resource name like patient/Device.read. In this case read access to the Device is requested
  2. 2.
    Wildcard definition like patient/*.read says all the patients resources read access requested

How Aidbox expands wildcard * scope

patient/*.read expands to:

  • patient/Patient.read
  • patient/AllergyIntolerance.read
  • patient/CarePlan.read
  • patient/CareTeam.read
  • patient/Condition.read
  • patient/Device.read
  • patient/DiagnosticReport.read
  • patient/DocumentReference.read
  • patient/Goal.read
  • patient/Encounter.read
  • patient/Immunization.read
  • patient/MedicationRequest.read
  • patient/Observation.read
  • patient/Procedure.read
  • patient/Provenance.read
  • patient/Practitioner.read
  • patient/Organization.read
  • patient/Location.read

user/*.read expands to:

  • user/Patient.read
  • user/AllergyIntolerance.read
  • user/CarePlan.read
  • user/CareTeam.read
  • user/Condition.read
  • user/Device.read
  • user/DiagnosticReport.read
  • user/DocumentReference.read
  • user/Goal.read
  • user/Encounter.read
  • user/Immunization.read
  • user/MedicationRequest.read
  • user/Observation.read
  • user/Procedure.read
  • user/Provenance.read
  • user/Practitioner.read
  • user/Organization.read
  • user/Location.read

system/*.read expands to:

  • system/Patient.read
  • system/AllergyIntolerance.read
  • system/CarePlan.read
  • system/CareTeam.read
  • system/Condition.read
  • system/Device.read
  • system/DiagnosticReport.read
  • system/DocumentReference.read
  • system/Goal.read
  • system/Encounter.read
  • system/Immunization.read
  • system/MedicationRequest.read
  • system/Observation.read
  • system/Procedure.read
  • system/Provenance.read
  • system/Practitioner.read
  • system/Organization.read
  • system/Location.read