|
| 1 | +# Blue Button API SDK (Python) |
| 2 | + |
| 3 | +# Table of contents |
| 4 | + |
| 5 | +1. [Descritpion](#description) |
| 6 | +2. [Installation](#installation) |
| 7 | +3. [Configuration](#configuration) |
| 8 | +4. [Usages: Obtain Access Grant, Probe Scope, and Access Data](#usages) |
| 9 | +5. [A Complete Sample App](#samples) |
| 10 | +6. [API Versions and Environments](#versions_and_environments) |
| 11 | + |
| 12 | +## Description <a name="description"></a> |
| 13 | + |
| 14 | +This is an SDK for interacting with [CMS Blue Button 2.0 API](https://bluebutton.cms.gov/developers/), |
| 15 | +the API allows applications to obtain a beneficiary's (who has login account with medicare.gov) grant |
| 16 | +to access his/her medicare claims data - through OAUTH2 [(RFC 6749)](https://datatracker.ietf.org/doc/html/rfc6749) authorization flow. |
| 17 | + |
| 18 | +By using the SDK, the development of applications accessing Blue Button 2.0 API can be greatly simplified. |
| 19 | + |
| 20 | +Note, following the OAUTH2 best practices, OAUTH2 PKCE etension [(RFC 7636)](https://datatracker.ietf.org/doc/html/rfc7636) is always enabled. |
| 21 | + |
| 22 | +## Installation <a name="installation"></a> |
| 23 | + |
| 24 | +```bash |
| 25 | +$ pip install cms-bluebutton-sdk |
| 26 | +``` |
| 27 | + |
| 28 | +## Configuration <a name="configuration"></a> |
| 29 | + |
| 30 | +the SDK needs to be properly configured to work, the parameters are: |
| 31 | + |
| 32 | +- the app's credentials - client id, client secret |
| 33 | +- the app's callback url |
| 34 | +- the version number of the API |
| 35 | +- the app's environment (web location where the app is registered) |
| 36 | + |
| 37 | +the configuration is in json format and stored in a local file, the default location |
| 38 | +is current working directory with file name: .bluebutton-config.json |
| 39 | + |
| 40 | +A sample configuration json: |
| 41 | + |
| 42 | +``` |
| 43 | +{ |
| 44 | + "clientId": "foo", |
| 45 | + "clientSecret": "bar", |
| 46 | + "callbackUrl": "https://www.fake.com/", |
| 47 | +} |
| 48 | +
|
| 49 | +``` |
| 50 | + |
| 51 | +| parameter | value | Comments | |
| 52 | +| ------------ | ----------------------- | ------------------------------- | |
| 53 | +| clientId | "foo" | oauth2 client id of the app | |
| 54 | +| clientSecret | "bar" | oauth2 client secret of the app | |
| 55 | +| callbackUrl | "https://www.fake.com/" | oauth2 callback url of the app | |
| 56 | + |
| 57 | +For application registration and client id and client secret, please refer to: |
| 58 | +[Blue Button 2.0 API Docs - Try the API](https://bluebutton.cms.gov/developers/#try-the-api) |
| 59 | + |
| 60 | +## Sample Usages: Obtain Access Grant, Probe Scope, and Access Data <a name="usages"></a> |
| 61 | + |
| 62 | +Below are psuedo code snippets showing SDK used with node express server. |
| 63 | + |
| 64 | +``` |
| 65 | +
|
| 66 | +import express, { Request, Response } from 'express'; |
| 67 | +
|
| 68 | +const app = express(); |
| 69 | +
|
| 70 | +const bb = new BlueButton(); |
| 71 | +const authData = bb.generateAuthData(); |
| 72 | +
|
| 73 | +// AuthorizationToken holds access grant info: |
| 74 | +// access token, expire in, expire at, token type, scope, refreh token, etc. |
| 75 | +// it is associated with current logged in user in real app, |
| 76 | +// check SDK js docs for more details. |
| 77 | +
|
| 78 | +let authToken: AuthorizationToken; |
| 79 | +
|
| 80 | +// start authorize flow: response with URL to redirect to Medicare.gov beneficiary login |
| 81 | +app.get('/', (req, res) => { |
| 82 | + const redirectUrl = bb.generateAuthorizeUrl(authData); |
| 83 | + res.redirect(redirectUrl); |
| 84 | +}) |
| 85 | +
|
| 86 | +// oauth2 call back: obtain access token, optionally check scope, and fetch data |
| 87 | +app.get('api/bluebutton/callback', async (req: Request, res: Response) => { |
| 88 | +
|
| 89 | + let results = {}; |
| 90 | + try { |
| 91 | + authToken = await bb.getAuthorizationToken(authData, req.query.code, req.query.state, req.query.error); |
| 92 | + // now access token obtained, note, during authorization, the beneficiary can grant |
| 93 | + // access to his/her demographic data and claims data or only claims data, check the scope |
| 94 | + // of the current access token as shown below: |
| 95 | + const scopes: string[] = authToken.scope; |
| 96 | + // iterate scope entries here or check if a permission is in the scope |
| 97 | + if (authToken.scope.index("patient/Patient.read") > -1) { |
| 98 | + // patient info access granted |
| 99 | + } |
| 100 | +
|
| 101 | + /** |
| 102 | + * 1. access token scope where demagraphic info included: |
| 103 | + * |
| 104 | + * scope: [ |
| 105 | + * "patient/Coverage.read", |
| 106 | + * "patient/ExplanationOfBenefit.read", |
| 107 | + * "patient/Patient.read", |
| 108 | + * "profile", |
| 109 | + * ] |
| 110 | + * |
| 111 | + * 2. access token scope where demagraphic info not included: |
| 112 | + * |
| 113 | + * scope: [ |
| 114 | + * "patient/Coverage.read", |
| 115 | + * "patient/ExplanationOfBenefit.read", |
| 116 | + * ] |
| 117 | + */ |
| 118 | +
|
| 119 | + // data flow: after access granted |
| 120 | + // the app logic can fetch the beneficiary's data in app specific ways: |
| 121 | + // e.g. download EOB periodically etc. |
| 122 | + // access token can expire, SDK automatically refresh access token when that happens. |
| 123 | + eobResults = await bb.getExplanationOfBenefitData(authToken); |
| 124 | + patientResults = await bb.getPatientData(authToken); |
| 125 | + coverageResults = await bb.getCoverageData(authToken); |
| 126 | + profileResults = await bb.getProfileData(authToken); |
| 127 | +
|
| 128 | + results = { |
| 129 | + eob: eobResults.response.data, |
| 130 | + patient: patientResults.response.data, |
| 131 | + coverage: coverageResults.response.data, |
| 132 | + profile: profileResults.response.data |
| 133 | + } |
| 134 | +
|
| 135 | + authToken = profileResults.token; |
| 136 | +
|
| 137 | + } catch (e) { |
| 138 | + console.log(e); |
| 139 | + } |
| 140 | +
|
| 141 | + res.json(results) |
| 142 | +
|
| 143 | +}); |
| 144 | +
|
| 145 | +``` |
| 146 | + |
| 147 | +## A Complete Sample App <a name="samples"></a> |
| 148 | + |
| 149 | +A Python React sample app can be found at: |
| 150 | +[CMS Blue Button Python Sample App](https://github.com/CMSgov/bluebutton-sample-client-python-react) |
| 151 | + |
| 152 | +## API Versions and Environments <a name="versions_and_environments"></a> |
| 153 | + |
| 154 | +From two environments: PRODUCTION and SANDBOX, Blue Button API is available in v1 and v2, data served from v1 is in FHIR STU2 format, and data from v2 is in FHIR R4 format, an application's target environment and API version can be set in the SDK configuration as shown by example below: |
| 155 | + |
| 156 | +``` |
| 157 | +{ |
| 158 | + "clientId": "foo", |
| 159 | + "clientSecret": "bar", |
| 160 | + "callbackUrl": "https://www.fake.com/", |
| 161 | + "version": "2", |
| 162 | + "environment": "PRODUCTION" |
| 163 | +} |
| 164 | +
|
| 165 | +``` |
| 166 | + |
| 167 | +The default API version is v2, and default environment is SANDBOX. |
| 168 | + |
| 169 | +Web location of the environments: |
| 170 | + |
| 171 | +[PRODUCTION Environment: https://api.bluebutton.cms.gov](https://api.bluebutton.cms.gov) |
| 172 | + |
| 173 | +[SANDBOX Environment: https://sandbox.bluebutton.cms.gov](https://sandbox.bluebutton.cms.gov) |
0 commit comments