Skip to main content

HS.FHIRServer.Util.OAuth2Token

class HS.FHIRServer.Util.OAuth2Token extends HS.FHIRServer.API.OAuth2Token

Class for OAuth 2.0 access token handling. An instance of this class is expected to be instantiated and set as a property on an Interactions instance. There it will be used for all interactions handled during the life of the Interactions instance.

Method Inventory

Parameters

parameter AlreadyValidated = 0;
If 0, SetInstance() will perform token validation. Otherwise, if 1, the tokens handled by the Interactions instance that uses this class are expected to have already been validated by alternate means.
parameter IntrospectionInterval = 5;
Minimum number of seconds between introspection calls for the current access token.

Methods

method %OnNew(pSchema As HS.FHIRServer.Schema) as %Status
Inherited description: This callback method is invoked by the %New() method to provide notification that a new instance of an object is being created.

If this method returns an error then the object will not be created.

It is passed the arguments provided in the %New call. When customizing this method, override the arguments with whatever variables and types you expect to receive from %New(). For example, if you're going to call %New, passing 2 arguments, %OnNew's signature could be:

Method %OnNew(dob as %Date = "", name as %Name = "") as %Status If instead of returning a %Status code this returns an oref and this oref is a subclass of the current class then this oref will be the one returned to the caller of %New method.

method BaseURLGet() as %String
classmethod FSLogScopeMsg(pInteraction As %String = "", pClinicalScopeType As %String, pRequiredPrivilege As %String, pResourceType As %String = "") as %String
method GetUserInfo(pBAUsername As %String, pBARoles As %String, Output pUserInfo)
@API
Derive user information from the current OAuth 2.0 token, and return that data if desired.
Input:
- pBAUsername: Existing basic authentication username (e.g., $username value). - pBARoles : Existing basic authentication user roles (e.g., $roles value). Output:
- pUserInfo(): Array of user information. Standard return is pUserInfo("Username") and pUserInfo("Roles"). This method may be overridden to derive and return other user info via subscripts in the pUserInfo() array.
method HasCompartment(pCompartmentType As %String, pCompartmentResourceId As %String, pResourceJson As %DynamicObject) as %Boolean
Return a Boolean indicating that the specified resource content resides in the specified compartment (compartment type plus resource id).
method HasScope(pClinicalScopeName, pResourceType, pRequiredPrivilege) as %Boolean
Return a Boolean indicating whether the current specified clinical scope allows the specified interaction per resource type plus read/write.
method OAuthClientGet() as %String
method ScopesListGet() as %String
method SetInstance(pTokenString As %String = "", pOAuthClient As %String = "", pBaseURL As %String = "", pUsername As %String = "")
@API
Set or reset the properties of the current token handler instance, based on the input parameters.
@Input pTokenString The access token string.
@Input pOAuthClient The OAuth 2.0 Client Name, as defined in the Management Portal at System Administration > Security > OAuth 2.0 > Client. @Input pBaseURL The base URL, including scheme, host, port and path of the end point for the current FHIR interaction. @Input pUsername (DEPRECATED) The Basic Auth username for the current FHIR interaction.
method TokenObjectGet() as %String
method TokenStringGet() as %String
method UsernameGet() as %String
method VerifyEverythingRequest(pResourceType As %String, pResourceId As %String, pResourceJson As %DynamicObject)
method VerifyHistoryInstanceResponse(pResourceType As %String, pResourceJson As %DynamicObject, pRequiredPrivilege As %String)
Verify that the access token allows the history-instance request based on the contents of the interaction response and required privilege. If not allowed, this method will Throw. Otherwise, it will simply Return.
method VerifyResourceContent(pResourceJson As %DynamicObject, pRequiredPrivilege As %String, pAllowSharedResource As %Boolean = 0)
Verify that the access token allows the current interaction on the specified resource, based on the content and required privilege. If not allowed, this method will Throw. Otherwise, it will simply Return.

This method typically used for read response, create request, update request, patch request.
method VerifyResourceIdRequest(pResourceType As %String, pResourceId As %String, pRequiredPrivilege As %String)
Verify that the access token allows the current interaction request based on the resource type, resource id and required privilege. If not allowed, this method will Throw. Otherwise, it will simply Return. Note that despite returning from this call, the corresponding response to the interaction could still fail verification.

This method typically used for read, vread or history-instance requests.
method VerifySearchRequest(pResourceType As %String, pCompartmentResourceType As %String, pCompartmentResourceId As %String, pParameters As HS.FHIRServer.API.Data.QueryParameters, pRequiredPrivilege As %String)
Verify that the access token allows the search request based on some or all of resource type, resource id, compartment type, search parameters and required privilege. If not allowed, this method will Throw. Otherwise, it will simply Return.
method VerifySearchResultsGet() as %Boolean
method VerifySystemLevelRequest()
Verify that the access token allows the system-level request. This is for system-history and system-search. Default functionality is to ignore patient context, and require user/*.read and/or user/*.*
If not allowed, this method will Throw. Otherwise, it will simply Return.
method VerifyTypesList(pResourceTypesList As %List, pRequiredPrivilege As %String)
Verify that the access token scopes authorize the specified privilege on ALL the resource types in the specified list.

Inherited Members

Inherited Properties

Inherited Methods

FeedbackOpens in a new tab