On this page:

20.14Callback Models

 

This page describes various models that are available within different Smile CDR JavaScript callback functions. See individual module documentation for a description of how these objects are used.

20.14.1AssociatedResource

 

This structure represents a link between a user in the auth database and a resource in the FHIR database. This can be used, for example, to specify that a particular user is a specific Patient in the CDR. That linkage can then be applied in order to make security/permission decisions.

Properties

Name Type Description
type Enumeration

The relationship between the user and the resource

resourceId String

The resource ID itself, e.g. 'Patient/123'

20.14.2AuthenticationContext

 

Provides details about the context in which an authentication occurred. See onAuthenticateSuccess for information.

Properties

Name Type Description
nodeId String

The node ID associated with the request

moduleId String

The module ID associated with the request

startTime Date (Instant)

The time at which the initial HTTP request was received

remoteAddress String

The IP address of the remote party to invoke the service

remoteScheme String

The protocol used by the remote party to invoke the service (will generally be http or https)

20.14.3AuthenticationFailure

 

This method represents a failed authentication attempt, and is returned by an authorization callback script.

Properties

Name Type Description
message String

An optional message to describe the failure

unknownUsername Boolean

Set this property to true if the failure is due to an invalid/unknown username

incorrectPassword Boolean

Set this property to true if the failure is due to an invalid/incorrect password

20.14.4GrantedAuthority

 

A granted authority is a single user authority (permission) that has been granted to a user. This authority has a permission name, and optionally an argument.

Properties

Name Type Description
permission Enumeration

The name of the permission. See permissions for information on available permissions.

argument String

The argument for this authority. Note that some permissions do not take an argument while others require an argument. Consult the permission documentation for more information.

20.14.5Hl7V2GeneratedMessageContext

 

Contains details about a converted/generated HL7 v2.x message

20.14.6Hl7V2ReceivedMessageConversionResult

 

Contains the result of an HL7 v2.x message runtime mapping or the conversion outcome of an HL7 v2.x message (into a FHIR payload)

Properties

Name Type Description
doNotProcess Boolean

A flag to indicate whether or not a given message should be processed

transactionBundles Array<FHIR Resource>

An array of Bundle resources containing transactions to be submitted to the FHIR server

Functions

Name Description
function
void addMessage(thePath, theMessageLevel, theIssue)

This method adds a message to the conversion result. Acceptable message levels are INFO, WARNING, and ERROR

20.14.7Hl7V2ReceivedMessage

 

Contains a received HL7 v2.x Message

Properties

Name Type Description
received Date (Instant)

The time at which this message was received

rawMessage HL7 v2.x Message

The actual HL7 message that was received

controlId String

The message control ID (MSH-10)

sendingPort Int

The port on the remote system from which the message was sent

sendingPort String

The host IP of the remote system from which the message was sent

transactionPid Long

The PID assigned to this transaction by the transaction log

20.14.8LaunchContext

 

Represents a SMART launch context that has been assigned to a specific user session

Properties

Name Type Description
contextType String

The launch context type, e.g. "patient" (note the lack of capitalization in SMART launch scope types)

resourceId String

The launch context resource ID, e.g. "123" (note that the resource type is not included in the ID)

20.14.9LaunchResourceId

 

This structure represents a link between a user in the auth database and a resource in the FHIR database. This can be used, for example, to specify that a particular user is a specific Patient in the CDR. That linkage can then be applied in order to make security/permission decisions.

Properties

Name Type Description
resourceType String

The resource type, e.g. 'Patient'

resourceId String

The resource ID, e.g. '123'

20.14.10OAuth2ClientDetails

 

Represents an OAuth2 client

Properties

Name Type Description
moduleId String

The Module ID that this client is registered against

nodeId String

The Node ID that this client is registered against

pid Long

The internal ID for this client.

accessTokenValiditySeconds Int

The number of seconds that an access token should be valid once it has been created.

allowedGrantTypes Array<Enumeration>

The grant types that this client is permitted to perform. See Authorization Flows for a description of the possible flows.

autoApproveScopes Array<String>

Scopes listed here will be automatically approved if requested by the client during the initial authorization request, without requiring the user to explicitly accept them.

autoGrantScopes Array<String>

Scopes listed here will be automatically granted during every successful authorization by this client. These scopes do not have to be explictly requested by the client during the initial authorization request.

clientId String

The Client ID (corresponds to the iss field in many OAuth2 exchanges).

clientName String

A human friendly description/name for the client.

clientSecrets Array<OAuth2ClientSecret>

Optionally contains client secrets to be used by the client in some grant types.

fixedScope Boolean

Is this client fixed scope? When authorizing a fixed scope client, the list of scopes requested in the initial authorization request will be ignored, and the complete list of scopes in the Scope property will be assumed. If these scopes are not listed as Auto-Approve, the user will still be required to approve them.

refreshTokenValiditySeconds Int

The number of seconds that a refresh token will be valid for.

secretRequired Boolean

Is the client secret required in order to authenticate this client?

secretClientCanChange Boolean

Can the client change their own secret?

enabled Boolean

Is the client enabled?

canIntrospectOwnTokens Boolean

Can this client perform token introspection on tokens that it issued?

canIntrospectAnyTokens Boolean

Can this client perform token introspecton on any tokens issued by the security module it is registered against?

alwaysRequireApproval Boolean

Should the user approval page be displayed even if the client has not requested any scopes that require user approval?

canReissueTokens Boolean

Can the OAuth2 server reissue tokens that have been previously issued for this client, if the token request is the same (e.g. for the same user, requesting the same scopes, etc.) and the token is not close to expiry?

permissions Array<GrantedAuthority>

Any permission that should be granted directly to the client when it authenticates using the Client Credentials Grant.

rememberApprovedScopes Boolean

When a user performs an OAuth2 authentication/authorization flow for this client, should their approved scopes be remembered the next time they authenticate?

20.14.11OAuth2ClientSecret

 

A client secret for an OAuth2 client

Properties

Name Type Description
pid Long
secret String
description String
expiration Date (Instant)
activation Date (Instant)

20.14.12OAuth2Clients

 

A collection of OAuth2 clients

Properties

Name Type Description
clients Array<OAuth2ClientDetails>
pageIndex Int
totalPages Int

20.14.13OAuth2Server

 

An OAuth2/OpenID Connect server definition

Properties

Name Type Description
pid Long
name String
issuer String
tokenIntrospectionClientId String
tokenIntrospectionClientSecret String
nodeId String
moduleId String
validationJwkText String
validationJwkFile String

20.14.14OAuth2Servers

 

A collection of OAuth2/OpenID Connect server definitions

Properties

Name Type Description
servers Array<OAuth2Server>
pageIndex Int
totalPages Int

20.14.15RequestDetailsJson

 

This object contains details about a FHIR request at runtime

Properties

Name Type Description
tenantId String
compartmentName String
completeUrl String
fhirServerBase String
id String
operation String
requestPath String
requestType Enumeration
resourceName String
respondGzip Boolean
restOperationType Enumeration
secondaryOperation String
subRequest Boolean

Functions

Name Description
function
Array<String> getParameters(The URL parameter name)

Returns an array of URL values for the given parameter

20.14.16ScriptAuthenticationOutcomeFactory

 

This object is used by authorization scripts to create success or failure objects to be returned by the script function.

Functions

Name Description
function
UserSessionDetails newSuccess()

This method creates a successful response that can be populated by the script, and then returned by the function.

function
AuthenticationFailure newFailure()

This method creates a failure response that can be populated by the script, and then returned by the function.

20.14.17ScriptConsentContextServices

 

This object is passed to consent services scripts to provide context services

Functions

Name Description
function
void proceed()

Advise the consent service that this operation should proceed (i.e. the operation will not be rejected, and the consent service will continue to evaluate)

function
void authorized()

Advise the consent service that this operation should be authorized (i.e. no further checking should occur)

function
void reject()

Advise the consent service that this operation should be rejected

20.14.18SecurityInLdapAuthenticationContext

 

Provides details and functions around the context of an authentication using the LDAP Inbound Security module. Objects of this type inherit all properties of their ancestor type AuthenticationContext.

Properties

Name Type Description
nodeId String

The node ID associated with the request

moduleId String

The module ID associated with the request

startTime Date (Instant)

The time at which the initial HTTP request was received

remoteAddress String

The IP address of the remote party to invoke the service

remoteScheme String

The protocol used by the remote party to invoke the service (will generally be http or https)

Functions

Name Description
function
Array<String> getStringAttributes(theAttributeName)

Fetch string attribute values for the given attribute name in LDAP for the authenticated user

function
Boolean isMemberOfGroup(theGroupDn)

Return true if the authenticated user is in the given group

20.14.19SecurityInSmartAuthenticationContext

 

Provides the context for the onAuthenticateSuccess callback method on the SMART Inbound Security module. Objects of this type inherit all properties of their ancestor type AuthenticationContext.

Properties

Name Type Description
nodeId String

The node ID associated with the request

moduleId String

The module ID associated with the request

startTime Date (Instant)

The time at which the initial HTTP request was received

remoteAddress String

The IP address of the remote party to invoke the service

remoteScheme String

The protocol used by the remote party to invoke the service (will generally be http or https)

Functions

Name Description
function
String getStringClaim(theName)

This function returns the claim contained within the encoded access token JWT

function
Array<String> getApprovedScopes()

This function returns an array of the approved scopes

function
Boolean hasApprovedScope(theScope)

This function returns true if the the session has been approved for the given OAuth2 scope

20.14.20SmartCodapAuthorizationRequest

 

This object is passed to the SMART Cross-Organization Data Access Profile authorization callback script

Properties

Name Type Description
requestingPractitioner FHIR Resource

The identity of the requesting user

requestedRecord FHIR Resource

The identity of the user being requested

reasonForRequest String

The client-supplied reason for the request

clientId String

The client ID

scope Array<String>

All OAuth2 scopes that were requested by the client

rawAuthorizationToken String

Contains the raw authorization token (should be a signed JWT)

rawAuthenticationToken String

Contains the raw authentication token (should be a signed JWT)

20.14.21SmartOnPostAuthorizeDetails

 

This class represents a completed SMART Authorization. It contains details about the authorization, what was granted, who it was granted to, etc.

Properties

Name Type Description
grantType String

The OAuth2 grant type requested by the client, e.g. authorization_code or implicit

accessToken String

The generated access token that will be returned to the client

grantedScopes Array<String>

All OAuth2 scopes that were granted to the client

expiration Date (Instant)

The expiration time of the authorization

requestingPractitioner FHIR Resource

The identity of the requesting user

requestedRecord FHIR Resource

The identity of the user being requested

refreshToken String

The generated refresh token that will be returned to the client

20.14.22UserSessionDetails

 

A user session details object contains details about a logged in user and a specific session they have established with the authorization server.

Properties

Name Type Description
launchResourceIds Array<LaunchResourceId>

Specifies the IDs that will be returned to the user as launch context if the SMART authorization flow requests a launch context

approvedScopes Array<String>

If the session is an OAuth2 session (i.e. it is accessed via a bearer token that was granted by a SMART Auth server) this field will be populated with the set of scopes that were approved for the client

accountDisabled Boolean

Is this account currently disabled?

notes String

Any notes regarding this user

email String

The user email address

accountLocked Boolean

Is this account currently locked?

authorities Array<GrantedAuthority>

Any authorities (permissions) granted to this user

associatedResources Array<AssociatedResource>

A collection of "associated resource" IDs. Associated resources are FHIR resources with some connection to the given user, such as a Patient or Practitioner resource representing the actual user.

familyName String

The user's family (last) name

givenName String

The user's given (first) name

lastActive Date (Instant)

The date at which the user account was last used. Note that this property is read-only, and is only updated once per day, so it is accurate only to the date.

moduleId String

The module ID associated with this user account. This is the module ID associated with the Inbound Security module that is responsible for authenticating this user.

nodeId String

The node ID associated with this user. This is the master node ID associated with the Inbound Security module that is responsible for authenticating this user.

password String

The user password (note that this property will not be populated when sessions are made available to user code)

pid Long

The PID (internal ID) for this user

username String

The username for this user

usernameNamespace String

The username namespace associated with this user

systemUser Boolean

If this is set, the user cannot be renamed or deleted (this property may only be set by the system)

external Boolean

If this value is set, the user is backed by an external user directory (this property may only be set by the system)

defaultLaunchContexts Array<LaunchContext>

The SMART launch contexts associated with this account

serviceAccount Boolean
twoFactorAuthStatus Enumeration

Functions

Name Description
function
void addApprovedScope(theScope)

Add an approved scope to the session

function
void addAuthority(thePermission)

Add an authority/permission to the given user

function
void addAuthority(thePermission, theArgument)

Add an authority/permission with an argument to the given user

function
Boolean hasAuthority(The name of the permission, e.g. 'ROLE_FHIR_CLIENT')

Does the user have the given permission?

function
LaunchContext getOrCreateDefaultLaunchContext(The context type, e.g. "patient" or "practitioner", The index, starting at 0)

Returns the first default launch context for the given type, creating one if none exists

function
LaunchContext getOrCreateDefaultLaunchContext(The context type, e.g. "patient" or "practitioner")

Returns the first default launch context for the given type, creating one if none exists

20.14.23UsernamePasswordAuthenticationRequest

 

This object contains the username and password supplied by a client for authentication purposes

Properties

Name Type Description
username String

The username

password String

The password

remoteAddress String

The IP address of the client