HS.FHIRServer.Util.OAuth2Token
class HS.FHIRServer.Util.OAuth2Token extends HS.FHIRServer.API.OAuth2Token
Class for OAuth 2.0 access token handling. An instance of this class is expected to be instantiated and set as a property on an Interactions instance. There it will be used for all interactions handled during the life of the Interactions instance.Method Inventory
- %OnNew()
- BaseURLGet()
- FSLogScopeMsg()
- GetContextValues()
- GetUserInfo()
- HasCompartment()
- HasScope()
- OAuthClientGet()
- ScopesListGet()
- SetInstance()
- TokenObjectGet()
- TokenStringGet()
- UsernameGet()
- VerifyEverythingRequest()
- VerifyHistoryInstanceResponse()
- VerifyResourceContent()
- VerifyResourceIdRequest()
- VerifySearchRequest()
- VerifySearchResultsGet()
- VerifySystemLevelRequest()
- VerifyTypesList()
Parameters
parameter AlreadyValidated = 0;
If 0, SetInstance() will perform token validation. Otherwise, if 1, the tokens
handled by the Interactions instance that uses this class are expected to have
already been validated by alternate means.
parameter IntrospectionInterval = 5;
Minimum number of seconds between introspection calls for the current access token.
Methods
method %OnNew(pSchema As HS.FHIRServer.Schema) as %Status
Inherited description: This callback method is invoked by the %New() method to
provide notification that a new instance of an object is being created.
If this method returns an error then the object will not be created.
It is passed the arguments provided in the %New call. When customizing this method, override the arguments with whatever variables and types you expect to receive from %New(). For example, if you're going to call %New, passing 2 arguments, %OnNew's signature could be:
Method %OnNew(dob as %Date = "", name as %Name = "") as %Status If instead of returning a %Status code this returns an oref and this oref is a subclass of the current class then this oref will be the one returned to the caller of %New method.
method BaseURLGet() as %String
classmethod FSLogScopeMsg(pInteraction As %String = "", pClinicalScopeType As %String, pRequiredPrivilege As %String, pResourceType As %String = "") as %String
method GetContextValues(ByRef pContextValues)
@API
Return the current context values, if any, as a Multidimensional array.
@API
Derive user information from the current OAuth 2.0 token, and return that data if desired.
Input:
- pBAUsername: Existing basic authentication username (e.g., $username value). - pBARoles : Existing basic authentication user roles (e.g., $roles value). Output:
- pUserInfo(): Array of user information. Standard return is pUserInfo("Username") and pUserInfo("Roles"). This method may be overridden to derive and return other user info via subscripts in the pUserInfo() array.
Derive user information from the current OAuth 2.0 token, and return that data if desired.
Input:
- pBAUsername: Existing basic authentication username (e.g., $username value). - pBARoles : Existing basic authentication user roles (e.g., $roles value). Output:
- pUserInfo(): Array of user information. Standard return is pUserInfo("Username") and pUserInfo("Roles"). This method may be overridden to derive and return other user info via subscripts in the pUserInfo() array.
method HasCompartment(pCompartmentType As %String, pCompartmentResourceId As %String, pResourceJson As %DynamicObject) as %Boolean
Return a Boolean indicating that the specified resource content resides in the
specified compartment (compartment type plus resource id).
method HasScope(pClinicalScopeName, pResourceType, pRequiredPrivilege) as %Boolean
Return a Boolean indicating whether the current specified clinical scope
allows the specified interaction per resource type plus read/write.
method OAuthClientGet() as %String
method ScopesListGet() as %String
method SetInstance(pTokenString As %String = "", pOAuthClient As %String = "", pBaseURL As %String = "", pUsername As %String = "")
@API
Set or reset the properties of the current token handler instance, based on the input parameters.
@Input pTokenString The access token string.
@Input pOAuthClient The OAuth 2.0 Client Name, as defined in the Management Portal at System Administration > Security > OAuth 2.0 > Client. @Input pBaseURL The base URL, including scheme, host, port and path of the end point for the current FHIR interaction. @Input pUsername (DEPRECATED) The Basic Auth username for the current FHIR interaction.
Set or reset the properties of the current token handler instance, based on the input parameters.
@Input pTokenString The access token string.
@Input pOAuthClient The OAuth 2.0 Client Name, as defined in the Management Portal at System Administration > Security > OAuth 2.0 > Client. @Input pBaseURL The base URL, including scheme, host, port and path of the end point for the current FHIR interaction. @Input pUsername (DEPRECATED) The Basic Auth username for the current FHIR interaction.
method TokenObjectGet() as %String
method TokenStringGet() as %String
method UsernameGet() as %String
method VerifyEverythingRequest(pResourceType As %String, pResourceId As %String, pResourceJson As %DynamicObject)
method VerifyHistoryInstanceResponse(pResourceType As %String, pResourceJson As %DynamicObject, pRequiredPrivilege As %String)
Verify that the access token allows the history-instance request based on the contents of
the interaction response and required privilege. If not allowed, this method will Throw.
Otherwise, it will simply Return.
method VerifyResourceContent(pResourceJson As %DynamicObject, pRequiredPrivilege As %String, pAllowSharedResource As %Boolean = 0)
Verify that the access token allows the current interaction on the specified resource, based on
the content and required privilege. If not allowed, this method will Throw. Otherwise, it will
simply Return.
This method typically used for read response, create request, update request, patch request.
This method typically used for read response, create request, update request, patch request.
method VerifyResourceIdRequest(pResourceType As %String, pResourceId As %String, pRequiredPrivilege As %String)
Verify that the access token allows the current interaction request based on the resource type,
resource id and required privilege. If not allowed, this method will Throw. Otherwise, it will
simply Return. Note that despite returning from this call, the corresponding response to the
interaction could still fail verification.
This method typically used for read, vread or history-instance requests.
This method typically used for read, vread or history-instance requests.
method VerifySearchRequest(pResourceType As %String, pCompartmentResourceType As %String, pCompartmentResourceId As %String, pParameters As HS.FHIRServer.API.Data.QueryParameters, pRequiredPrivilege As %String)
Verify that the access token allows the search request based on some or all of resource type,
resource id, compartment type, search parameters and required privilege. If not allowed, this
method will Throw. Otherwise, it will simply Return.
method VerifySearchResultsGet() as %Boolean
method VerifySystemLevelRequest()
Verify that the access token allows the system-level request. This is for system-history and
system-search. Default functionality is to ignore patient context, and require user/*.read
and/or user/*.*
If not allowed, this method will Throw. Otherwise, it will simply Return.
If not allowed, this method will Throw. Otherwise, it will simply Return.
Verify that the access token scopes authorize the specified privilege
on ALL the resource types in the specified list.
Inherited Members
Inherited Properties
Inherited Methods
- %AddToSaveSet()
- %ClassIsLatestVersion()
- %ClassName()
- %ConstructClone()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Extends()
- %GetParameter()
- %IsA()
- %IsModified()
- %New()
- %NormalizeObject()
- %ObjectModified()
- %OriginalNamespace()
- %PackageName()
- %RemoveFromSaveSet()
- %SerializeObject()
- %SetModified()
- %ValidateObject()
- VerifyDeleteRequest()