adding smart on fhir configuration endpoint #1270
Conversation
There was a problem hiding this comment.
There is a significant variance between what's returned from this endpoint compared to what's in the links specified in the SMART on FHIR spec + example. For example: the path should be smart-configuration (https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known), and there are a significant number of fields present that are not in the smart-configuration conformance spec.
|
@alex-dzeda I removed all the fields that weren't listed in the sample response and changed the url path to be smart-configuration. { |
| @@ -10,6 +11,7 @@ | |||
|
|
|||
| urlpatterns = [ | |||
| path("openid-configuration", openid_configuration, name="openid-configuration"), | |||
| path("smart-configuration", smart_configuration, name="smart-configuration"), | |||
There was a problem hiding this comment.
the .well-known/smart-configuration should be relative to the base path of the server, eg v2/fhir/.well-known/smart-configuration for v2, v1/fhir/.well-known/smart-configuration for v1, per environment.
There was a problem hiding this comment.
I see what you mean. I'll have to do a bit more digging around to get it to have that pattern. Would we want to change openid-configuration to follow that pattern as well? It seems like it's the only one to have this current pattern. Swagger link for convenience: https://sandbox.bluebutton.cms.gov/docs/openapi#/v2/openIdConfig
There was a problem hiding this comment.
A good team discussion topic. imo the value of a well-known url is that you can automatically discover it. As it stands today, I'd see the same problem for the OIDC config, since openid-configuration-v2 isn't really well-known.
There was a problem hiding this comment.
Okay, I'll socialize this with the other engineers and see about making this happen
| @@ -9,6 +9,16 @@ | |||
| import apps.logging.request_logger as bb2logging | |||
|
|
|||
| logger = logging.getLogger(bb2logging.HHS_SERVER_LOGNAME_FMT.format(__name__)) | |||
| SCOPES_SUPPORTED = ["profile", "patient/Patient.read", "patient/ExplanationOfBenefit.read", "patient/Coverage.read"] | |||
| CODE_CHALLENGE_METHODS_SUPPORTED = ["S256"] | |||
| CAPABILITIES = [ | |||
There was a problem hiding this comment.
Can we add "authorize-post"? looks like that one would also fit within the existing, supported capabilities of BB2
There was a problem hiding this comment.
I'll add that now.
JIRA Ticket:
BB2-3360
What Does This PR Do?
Adds SMART on FHIR endpoint listing out configuration details
What Should Reviewers Watch For?
Expected endpoint returns correct info as per https://confluence.cms.gov/pages/viewpage.action?spaceKey=BFD&title=BFD-3378%3A+FHIR+IG+conformance
If you're reviewing this PR, please check for these things in particular:
Any ways the code style itself could be improved upon. It was mostly copy pasted from the openid config endpoint and it would be good to know if it is conforming to the quality of code we'd like.
Validation
This was verified by spinning up the docker containers locally, getting a token, and performing a GET request in postman to localhost:8000/.well-known/smart-on-fhir-configuration.
A response from a local test is here:
{
"issuer": "http://localhost:8000",
"authorization_endpoint": "http://localhost:8000/v1/o/authorize/",
"revocation_endpoint": "http://localhost:8000/v1/o/revoke/",
"token_endpoint": "http://localhost:8000/v1/o/token/",
"userinfo_endpoint": "http://localhost:8000/v1/connect/userinfo",
"ui_locales_supported": [
"en-US"
],
"service_documentation": "https://bluebutton.cms.gov/developers",
"op_tos_uri": "https://bluebutton.cms.gov/terms",
"grant_types_supported": [
"authorization-code",
"refresh_token"
],
"response_types_supported": [
"code",
"token"
],
"fhir_metadata_uri": "http://localhost:8000/v1/fhir/metadata",
"scopes_supported": [
"profile",
"patient/Patient.read",
"patient/ExplanationOfBenefit.read",
"patient/Coverage.read"
],
"code_challenge_methods_supported": [
"S256"
],
"capabilities": [
"client-confidential-symmetric",
"sso-openid-connect",
"launch-standalone",
"permission-offline",
"permission-patient",
"permission-v1"
]
}
What Security Implications Does This PR Have?
Please indicate if this PR does any of the following:
security engineer's approval.
Any Migrations?
etc)