HS.BulkFHIR.Auth.OAuth.Adapter
class HS.BulkFHIR.Auth.OAuth.Adapter extends HS.BulkFHIR.API.AuthAdapter
This OAuth adapter points to and uses an existing OAuth server for the validation of access tokens that come into the BFC endpoint. The OAuth server:- May be an ISC or non-ISC OAuth server.
- May be located anywhere that is accessible over HTTP.
- Must be able to handle the requirements of SMART Backend Authorization Service profile (http://www.hl7.org/fhir/smart-app-launch/backend-services.html).
Method Inventory
- Authenticate()
- AuthorizeFHIRRequest()
- CheckForClientsToBeCreated()
- GetAccessTokenInfo()
- GetAccessTokenJson()
- GetIntrospection()
- GetIssuerEndpointFromAuthConfigClientName()
- Initialize()
- WellKnownConfiguration()
Parameters
parameter IsOAuth = 1;
Inherited description: Whether the adapter uses OAuth access tokens. Used in conjunction
with the storage adapter to set the requireAccessToken setting
in a status request.
parameter archeType = auth-oauth;
Inherited description: This property describes the overarching type of the adapter & its subclasses, so that they may be understood as belonging to the same group exhibiting fundamentally
similar behaviors or serving similar purpose.
Used when generating the metadata (GUISettings) for all adapters & config classes so the UI may be able to identify the archeType of adapter it's dealing with, without
knowing its full inheritance chain (e.g. all pureFHIR fetch adapter & their subclasses will have the same archeType, all BulkFHIR fetch adapter & subclasses will have same archeType, etc.)
and the UI can enforce archeType specific behavior across otherwise indistinguishable adapters & their configs.
parameter configClass = HS.BulkFHIR.Auth.OAuth.Config;
Methods
classmethod Authenticate(pBFCconfig As HS.BulkFHIR.API.Data.Config, pUrl As %String, ByRef pContinue As %Boolean, pAllowedAud As %String = "")
authenticates %request, and will return a %response of error unless operation is permitted
the flag pContinue informs caller code whether if API handling should continue or not
The optional @Input "pAllowedAud" only applies when %request comes with an access token, where the audience
will be checked whether it matches the request URL. "pAllowedAud", when defined, will allow the access token to pass
the auth check if it matches the "pAllowedAud" input. Used for case where one endpoint is required to accept access token
meant for another endpoint (e.g. BulkFHIR file endpoint has to accept a token with the kick-off audience)
classmethod AuthorizeFHIRRequest(request As HS.FHIRServer.API.Data.Request, pBFCconfig As HS.BulkFHIR.API.Data.Config)
Use the access token information to authorize the current interaction.
metadata request does NOT come through this method. Such authorization
is not needed for metadata.
classmethod CheckForClientsToBeCreated(pClients As %Library.ListOfObjects) as %DynamicArray
given list of HS.BulkFHIR.Auth.OAuth.ClientConfig objects, will return a DynamicArray of
all the undefined clients that needs to be created
classmethod GetAccessTokenInfo(pBFCconfig As HS.BulkFHIR.API.Data.Config, pTokenString As %String) as %DynamicObject
Override of API method.
Return a %DynamicObject of selected access token fields.
@Returns a %DynamicObject representing information about the access token.
Return a %DynamicObject of selected access token fields.
@Returns a %DynamicObject representing information about the access token.
classmethod GetAccessTokenJson(pBFCconfig As HS.BulkFHIR.API.Data.Config, pTokenString As %String) as %DynamicObject
@API.Overridable
Return a %DynamicObject representing the full access token information.
@Input pBFCconfig Full BFC configuration object in effect for the current BFC session.
@Input pTokenString Encoded string representation of an access token provided on the current request to the BFC.
@Returns a %DynamicObject representing the full access token information.
Return a %DynamicObject representing the full access token information.
@Input pBFCconfig Full BFC configuration object in effect for the current BFC session.
@Input pTokenString Encoded string representation of an access token provided on the current request to the BFC.
@Returns a %DynamicObject representing the full access token information.
classmethod GetIntrospection(pOAuthClient As %String, pTokenString As %String, Output pJWTObj) as %Status
@API.Overridable
This method presents the token string to the introspection endpoint for the server that granted this token.
The server returns a JSON object with information about the token. RFC 7662 "OAuth 2.0 Token Introspection" Section 2.2 (https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) describes the expected contents of the returned JSON object. RFC 7662 lists "scope" as OPTIONAL. However, for FHIRServer processing, it is REQUIRED.
This method checks the JSON object to verify that the token is active (well-formed and not expired), and returns it as ByRef variable pJWTObj.
By the time this method returns, pJWTObj MUST hold the token scopes in the 'scope' property, as a space-delimited string. If the tokens being handled by this class are expected to hold scopes in an alternate property and/or in an alternate format, you may need to override this method to ensure that the scopes are moved and/or reformatted into the 'scope' property. The default implementation of this method handles only one common alternate scenario, where the token object scopes are found in property 'scp', either as a JSON array or a space-delimited string. Other alternate scenarios must be handled via override of this method.
If the server that granted the token does not host an introspection endpoint, then you must override this method to derive/obtain a JSON object that holds information about the access token, with the required properties described above.
@Input pOAuthClient OAuth 2.0 client name as defined in ISC OAuth 2.0 Client definitions.
@Input pTokenString OAuth 2.0 access token string.
@Output pJWTObj JSON object that holds information about the token.
@Return %Status return value.
This method presents the token string to the introspection endpoint for the server that granted this token.
The server returns a JSON object with information about the token. RFC 7662 "OAuth 2.0 Token Introspection" Section 2.2 (https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) describes the expected contents of the returned JSON object. RFC 7662 lists "scope" as OPTIONAL. However, for FHIRServer processing, it is REQUIRED.
This method checks the JSON object to verify that the token is active (well-formed and not expired), and returns it as ByRef variable pJWTObj.
By the time this method returns, pJWTObj MUST hold the token scopes in the 'scope' property, as a space-delimited string. If the tokens being handled by this class are expected to hold scopes in an alternate property and/or in an alternate format, you may need to override this method to ensure that the scopes are moved and/or reformatted into the 'scope' property. The default implementation of this method handles only one common alternate scenario, where the token object scopes are found in property 'scp', either as a JSON array or a space-delimited string. Other alternate scenarios must be handled via override of this method.
If the server that granted the token does not host an introspection endpoint, then you must override this method to derive/obtain a JSON object that holds information about the access token, with the required properties described above.
@Input pOAuthClient OAuth 2.0 client name as defined in ISC OAuth 2.0 Client definitions.
@Input pTokenString OAuth 2.0 access token string.
@Output pJWTObj JSON object that holds information about the token.
@Return %Status return value.
classmethod GetIssuerEndpointFromAuthConfigClientName(pAuthConfig As HS.BulkFHIR.Auth.OAuth.Config) as %String
classmethod Initialize(pBFCconfig As HS.BulkFHIR.API.Data.Config)
Inherited description: @API.Overridable
Called when the BFC is first configured and again if that configuration is changed, this method may be used to do any implementation-specific setup.
Called when the BFC is first configured and again if that configuration is changed, this method may be used to do any implementation-specific setup.
classmethod WellKnownConfiguration(pBFCconfig As HS.BulkFHIR.API.Data.Config) as %DynamicObject
Override of API method.
@Returns a %DynamicObject representing the .well-known/smart-configuration for the BFC OAuth server.
@Returns a %DynamicObject representing the .well-known/smart-configuration for the BFC OAuth server.
Inherited Members
Inherited Methods
- %AddToSaveSet()
- %ClassIsLatestVersion()
- %ClassName()
- %ConstructClone()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Extends()
- %GetParameter()
- %IsA()
- %IsModified()
- %New()
- %NormalizeObject()
- %ObjectModified()
- %OriginalNamespace()
- %PackageName()
- %RemoveFromSaveSet()
- %SerializeObject()
- %SetModified()
- %ValidateObject()
- AcceptsContentType()
- AccessCheck()
- ConvertParameter()
- Decrypt()
- DispatchRequest()
- DrawCSS3STYLE()
- DrawHEAD()
- DrawSTHEAD()
- DrawSTTitle()
- DrawSTYLE()
- DrawTitle()
- DrawTitleSection()
- Encrypt()
- Error()
- EscapeHTML()
- EscapeURL()
- GetAuthChallenge()
- Http403()
- Http404()
- Http405()
- Http500()
- HyperEventCall()
- HyperEventHead()
- Include()
- InsertHiddenField()
- InsertHiddenFields()
- IsPrivate()
- Link()
- Login()
- OnErrorSetup()
- OnHTTPHeader()
- OnHandleCorsRequest()
- OnHandleOptionsRequest()
- OnLoginPage()
- OnPage()
- OnPageError()
- OnPostHTTP()
- OnPostHyperEvent()
- OnPreDispatch()
- OnPreHTTP()
- OnPreHyperEvent()
- OnSecurityTokenPage()
- Page()
- QuoteJS()
- ReportHttpStatusCode()
- RewriteURL()
- SetResponseHeaderIfEmpty()
- ShowError()
- StartTimer()
- StatusToJSON()
- StatusToProxyObject()
- StopTimer()
- SupportedVerbs()
- ThrowError()
- UnescapeHTML()
- UnescapeURL()