adding smart on fhir configuration endpoint #1270
Conversation
alex-dzeda
left a comment
alex-dzeda
left a comment
There was a problem hiding this comment.
There is a significant variance between what's returned from this endpoint compared to what's in the links specified in the SMART on FHIR spec + example. For example: the path should be smart-configuration (https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known), and there are a significant number of fields present that are not in the smart-configuration conformance spec.
|
@alex-dzeda I removed all the fields that weren't listed in the sample response and changed the url path to be smart-configuration. { |
apps/wellknown/urls.py
Outdated
|
|
||
| urlpatterns = [ | ||
| path("openid-configuration", openid_configuration, name="openid-configuration"), | ||
| path("smart-configuration", smart_configuration, name="smart-configuration"), |
There was a problem hiding this comment.
the .well-known/smart-configuration should be relative to the base path of the server, eg v2/fhir/.well-known/smart-configuration for v2, v1/fhir/.well-known/smart-configuration for v1, per environment.
There was a problem hiding this comment.
I see what you mean. I'll have to do a bit more digging around to get it to have that pattern. Would we want to change openid-configuration to follow that pattern as well? It seems like it's the only one to have this current pattern. Swagger link for convenience: https://sandbox.bluebutton.cms.gov/docs/openapi#/v2/openIdConfig
There was a problem hiding this comment.
A good team discussion topic. imo the value of a well-known url is that you can automatically discover it. As it stands today, I'd see the same problem for the OIDC config, since openid-configuration-v2 isn't really well-known.
There was a problem hiding this comment.
Okay, I'll socialize this with the other engineers and see about making this happen
| logger = logging.getLogger(bb2logging.HHS_SERVER_LOGNAME_FMT.format(__name__)) | ||
| SCOPES_SUPPORTED = ["profile", "patient/Patient.read", "patient/ExplanationOfBenefit.read", "patient/Coverage.read"] | ||
| CODE_CHALLENGE_METHODS_SUPPORTED = ["S256"] | ||
| CAPABILITIES = [ |
There was a problem hiding this comment.
Can we add "authorize-post"? looks like that one would also fit within the existing, supported capabilities of BB2
There was a problem hiding this comment.
I'll add that now.
jimmyfagan
left a comment
jimmyfagan
left a comment
There was a problem hiding this comment.
Looks pretty good, just a few more comments from me. Latest output from the endpoint is here:
{
"issuer": "http://localhost:8000",
"authorization_endpoint": "http://localhost:8000/v2/o/authorize/",
"revocation_endpoint": "http://localhost:8000/v1/o/revoke/",
"token_endpoint": "http://localhost:8000/v2/o/token/",
"grant_types_supported": [
"authorization-code",
"refresh_token"
],
"response_types_supported": [
"code",
"token"
],
"scopes_supported": [
"profile",
"patient/Patient.read",
"patient/ExplanationOfBenefit.read",
"patient/Coverage.read"
],
"code_challenge_methods_supported": [
"S256"
],
"capabilities": [
"client-confidential-symmetric",
"sso-openid-connect",
"launch-standalone",
"permission-offline",
"permission-patient",
"permission-v1",
"authorize-post"
]
}
| issuer = base_issuer(request) | ||
| v2 = request.path.endswith('openid-configuration-v2') or request.path.endswith('openidConfigV2') | ||
| data = build_endpoint_info(data, issuer=issuer, v2=v2) | ||
| data = build_endpoint_info(data, issuer=issuer) |
There was a problem hiding this comment.
With OIDC v2 feeding through the normal endpoint now, can you also update the swagger page to remove the -v2 from /.well-known/openid-configuration-v2? It's in openapi.yaml.
There was a problem hiding this comment.
Is there already a follow up ticket to add the smart config to the swagger doc? If so, we can save this adjustment for that if that's preferred, if not, we should either make a ticket, or include the smart config updates to swagger docs as part of this PR.
apps/wellknown/views/openid.py
Outdated
| del(data["ui_locales_supported"]) | ||
| del(data["service_documentation"]) | ||
| del(data["op_tos_uri"]) | ||
| del(data["fhir_metadata_uri"]) |
There was a problem hiding this comment.
I think we'll want to add this in:
| del(data["fhir_metadata_uri"]) | |
| del(data["fhir_metadata_uri"]) | |
| data["grant_types_supported"].remove("refresh_token") |
Spec says for grant_types_supported:
The options are “authorization_code” (when SMART App Launch is supported) and “client_credentials” (when SMART Backend Services is supported).
apps/wellknown/views/openid.py
Outdated
| data["authorization_endpoint"] = issuer + \ | ||
| reverse('oauth2_provider:authorize' if not v2 else 'oauth2_provider_v2:authorize-v2') | ||
| reverse('oauth2_provider_v2:authorize-v2') | ||
| data["revocation_endpoint"] = issuer + reverse('oauth2_provider:revoke') |
There was a problem hiding this comment.
If we go ahead and make this change now, I think we're done with that bug we refined yesterday:
| data["revocation_endpoint"] = issuer + reverse('oauth2_provider:revoke') | |
| data["revocation_endpoint"] = issuer + reverse('oauth2_provider_v2:revoke-token-v2') |
Might require a test update too.
JFU-NAVA-PBC
left a comment
JFU-NAVA-PBC
left a comment
There was a problem hiding this comment.
Noticed some inconsistencies on v1 vs v2 endpoints responses:
auth, token end points URLs are all BB2 v2...
also scopes include "permission_v1", if that v1 is referring to BB2 API ver, then it needs to be consistent with the version of the smart config URL...
V1: GET http://localhost:8000/v1/fhir/.wellknown/smart-configuration response:
{ "issuer": "http://localhost:8000", "authorization_endpoint": "http://localhost:8000/v2/o/authorize/", "revocation_endpoint": "http://localhost:8000/v2/o/revoke_token/", "token_endpoint": "http://localhost:8000/v2/o/token/", "grant_types_supported": [ "authorization-code" ], "response_types_supported": [ "code", "token" ], "scopes_supported": [ "profile", "patient/Patient.read", "patient/ExplanationOfBenefit.read", "patient/Coverage.read" ], "code_challenge_methods_supported": [ "S256" ], "capabilities": [ "client-confidential-symmetric", "sso-openid-connect", "launch-standalone", "permission-offline", "permission-patient", "permission-v1", "authorize-post" ] }
V2: GET http://localhost:8000/v2/fhir/.wellknown/smart-configuration response:
{ "issuer": "http://localhost:8000", "authorization_endpoint": "http://localhost:8000/v2/o/authorize/", "revocation_endpoint": "http://localhost:8000/v2/o/revoke_token/", "token_endpoint": "http://localhost:8000/v2/o/token/", "grant_types_supported": [ "authorization-code" ], "response_types_supported": [ "code", "token" ], "scopes_supported": [ "profile", "patient/Patient.read", "patient/ExplanationOfBenefit.read", "patient/Coverage.read" ], "code_challenge_methods_supported": [ "S256" ], "capabilities": [ "client-confidential-symmetric", "sso-openid-connect", "launch-standalone", "permission-offline", "permission-patient", "permission-v1", "authorize-post" ] }
Just chiming in to make sure we're on the same page, that v1 doesn't refer to our API it refers to the SMART scope syntax, the options are:
So we have it right, no issues there. |
JIRA Ticket:
BB2-3360
What Does This PR Do?
Adds SMART on FHIR endpoint listing out configuration details
What Should Reviewers Watch For?
Expected endpoint returns correct info as per https://confluence.cms.gov/pages/viewpage.action?spaceKey=BFD&title=BFD-3378%3A+FHIR+IG+conformance
If you're reviewing this PR, please check for these things in particular:
Any ways the code style itself could be improved upon. It was mostly copy pasted from the openid config endpoint and it would be good to know if it is conforming to the quality of code we'd like.
Validation
This was verified by spinning up the docker containers locally, getting a token, and performing a GET request in postman to localhost:8000/.well-known/smart-on-fhir-configuration.
A response from a local test is here:
{
"issuer": "http://localhost:8000",
"authorization_endpoint": "http://localhost:8000/v1/o/authorize/",
"revocation_endpoint": "http://localhost:8000/v1/o/revoke/",
"token_endpoint": "http://localhost:8000/v1/o/token/",
"userinfo_endpoint": "http://localhost:8000/v1/connect/userinfo",
"ui_locales_supported": [
"en-US"
],
"service_documentation": "https://bluebutton.cms.gov/developers",
"op_tos_uri": "https://bluebutton.cms.gov/terms",
"grant_types_supported": [
"authorization-code",
"refresh_token"
],
"response_types_supported": [
"code",
"token"
],
"fhir_metadata_uri": "http://localhost:8000/v1/fhir/metadata",
"scopes_supported": [
"profile",
"patient/Patient.read",
"patient/ExplanationOfBenefit.read",
"patient/Coverage.read"
],
"code_challenge_methods_supported": [
"S256"
],
"capabilities": [
"client-confidential-symmetric",
"sso-openid-connect",
"launch-standalone",
"permission-offline",
"permission-patient",
"permission-v1"
]
}
What Security Implications Does This PR Have?
Please indicate if this PR does any of the following:
security engineer's approval.
Any Migrations?
etc)