40.20.1Callback Models

 

This page describes various models that are available within different Smile CDR JavaScript callback functions. See individual module documentation for a description of how these objects are used.

40.20.2AssociatedResource

 

This structure represents a link between a user in the auth database and a resource in the FHIR database. This can be used, for example, to specify that a particular user is a specific Patient in the CDR. That linkage can then be applied in order to make security/permission decisions.

40.20.2.1Properties

Name Type Description
type Enumeration The relationship between the user and the resource

Options:

  • SELF
resourceId String The resource ID itself, e.g. 'Patient/123'

40.20.3AuthenticationContext

 

Provides details about the context in which an authentication occurred. See onAuthenticateSuccess for information.

40.20.3.1Properties

Name Type Description
nodeId String The node ID associated with the request
moduleId String The module ID associated with the request
startTime Date (Instant) The time at which the initial HTTP request was received
remoteAddress String The IP address of the remote party to invoke the service
remoteScheme String The protocol used by the remote party to invoke the service (will generally be http or https)
headers Map<String,String> The headers associated with the request

40.20.4AuthenticationFailure

 

This method represents a failed authentication attempt, and is returned by an authorization callback script.

40.20.4.1Properties

Name Type Description
message String
unknownUsername Boolean
incorrectPassword Boolean

40.20.5AuthenticationRequest

 

This object contains the credentials supplied by a client for authentication purposes

40.20.5.1Properties

Name Type Description
username String The username
password String The password
remoteAddress String The IP address of the client
headers Map<String,String> The HTTP headers associated with the request

40.20.6ClientCredentialsAuthenticationRequest

 

Contains attributes related to an OIDC client credentials grant request.

40.20.6.1Properties

Name Type Description
jwtClaims Map<String,Object>

40.20.7CsvProcessorContext

 

Contains context information passed into the ETL Import module mapping script

40.20.7.1Properties

Name Type Description
userJobType String This field can contain an arbitrary token supplied by the client that initiated the job
filename String This field can contain the filename of the specific file being imported

40.20.7.2Functions

Name Description
getProcessingThreadNumber()
Returns the processing thread number. This will be an integer between 0 and the maximum number of processing threads

Return Type: Int
lock(theKey)
Attempt to obtain and lock an arbitrary named semaphore. This can be used to guarantee that two row processors do not attempt to operate on the same underlying resource at the same time by ensuring that one completes before another attempts to commit its own transaction.

Return Type: void
Parameter theKey: theKey

40.20.8FhirContextEntry

 

This structure represents an entry that captures a single entry in fhirContext, which can be either be a reference only (ex: "PractitionerRole/123") or a reference/role pair (ex: "List/123", "role": "https://example.org/med-list-at-home"). A reference is commonly to a FHIR resource and a role is an optional property with a URI identifying the role. The entire fhirContext is encoded in the access token and used by the relevant Smart application.

40.20.8.1Properties

Name Type Description
reference String The reference to a resource, e.g. 'PractitionerRole/123'
role String The role, e.g. 'https://example.org/med-list-at-home'

40.20.9FhirEndpointTerminologyResponseMappingSpec

 

Defines a response terminology mapping specification for a FHIR Endpoint module

40.20.9.1Properties

Name Type Description
systems Array<FhirEndpointTerminologyResponseMappingSpecSystem>

40.20.9.2Example

{
  "systems" : [ {
    "sourceSystemUri" : "http://example.com/lab_codes",
    "targetSystemUri" : "http://loinc.org"
  }, {
    "sourceSystemUri" : "http://example.com/anatomy",
    "targetSystemUri" : "http://snomed.info"
  } ]
}

40.20.10FhirEndpointTerminologyResponseMappingSpecSystem

 

A code system entry for a FhirEndpointTerminologyResponseMappingSpec object

40.20.10.1Properties

Name Type Description
sourceSystemUri String
targetSystemUri String

40.20.11GatewayConfiguration

 

This is the outer document element containing configuration for the Smile CDR FHIR Gateway module.

40.20.11.1Properties

Name Type Description
targets Array<GatewayTarget>
searchRoutes Array<GatewaySearchRoute>
readRoutes Array<GatewayReadRoute>
operationRoutes Array<GatewayOperationRoute>
updateRoutes Array<GatewayUpdateRoute>
createRoutes Array<GatewayCreateRoute>
deleteRoutes Array<GatewayDeleteRoute>
transactionRoutes Array<GatewayTransactionRoute>

40.20.11.2Example

{
  "targets" : [ {
    "id" : "target1",
    "baseUrl" : "http://fhir1.example.com/api",
    "resourceIdPrefix" : "TGT1-"
  }, {
    "id" : "target2",
    "baseUrl" : "http://fhir2.example.com/api",
    "resourceIdPrefix" : "TGT2-"
  } ],
  "searchRoutes" : [ {
    "id" : "route1",
    "resourceTypes" : [ "Observation", "Patient", "Encounter" ],
    "targets" : [ {
      "targetId" : "target1"
    }, {
      "targetId" : "target2"
    } ],
    "parallel" : true,
    "disablePaging" : false
  } ]
}

40.20.12GatewayCreateRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR create operations.

40.20.12.1Properties

Name Type Description
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.13GatewayDeleteRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR delete operations.

40.20.13.1Properties

Name Type Description
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.14GatewayOperation

 

Defines FHIR Operation that can be called through the Smile CDR Gateway

40.20.14.1Properties

Name Type Description
name String The name of the FHIR operation
system Boolean This operation can be called at the system level
type Boolean This operation can be called on a FHIR resource type
instance Boolean This operation can be called on a FHIR resource instance

40.20.15GatewayOperationRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR operations

40.20.15.1Properties

Name Type Description
operations Array<GatewayOperation> The operations that this route applies to
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.16GatewayReadRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR read and vread operations

40.20.16.1Properties

Name Type Description
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.17GatewayRouteTarget

 

Defines a target association for a Smile CDR FHIR Gateway route

40.20.17.1Properties

Name Type Description
targetId String The ID of the target server

40.20.18GatewaySearchRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR search operations

40.20.18.1Properties

Name Type Description
disablePaging Boolean Responses for this route should not include paging links
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.19GatewayTarget

 

Contains the definition for an individual Smile CDR FHIR Gateway target server

40.20.19.1Properties

Name Type Description
id String An internal ID for the target server
baseUrl String The base URL for the target server
fixedEndpointUrl String If specified, will create a mapping between the baseUrl of the target, and this endpoint. When a bundle link is received that refers to this fixed endpoint, we will associate it to this target.
httpBasicCredentials String If specified, these credentials (in the form username:password) will be passed in all client requests to the target server
connectTimeoutMillis Int Specifies a connection timeout (in millis) to use for communication with the target server. Default is 60000
socketTimeoutMillis Int Specifies a socket timeout (in millis) to use for communication with the target server. Default is 60000
clientInterceptorClasses String If specified, signals to FHIR Gateway to load a comma-delimited list of CLIENT_RESPONSE interceptor classes that will allow the user to overwrite the HTTP response
resourceIdPrefix String If specified, provides a prefix that will be added to all resource IDs and local references for the target server before returning to the client
useHttpPostForAllSearches Boolean If set to true, FHIR search and paging operations against the target server will be performed using an HTTP POST instead of a GET. Default is false
serverCapabilityStatementValidationEnabled Boolean If set to false, FHIR Gateway will not validate the target server's CapabilityStatement with a request to /metadata. Default is true
alternateValidationPath String An alternate validation path which can be used to validate the target server using a HTTP GET request.
headersToForward Array<String> Any headers specified by name will be copied from the incoming client request and added to requests to the target server
allowedToFail Boolean If set to true, FHIR search operations against the target server that fail will not return an error to the client, unless all targets for a given request have failed. This flag does not apply to read routes. Default is false
forcedEncoding Enumeration If set, any requests containing a payload will have their payload re-encoded to the defined content-type before being forwarded to the target server

Options:

  • JSON
  • NDJSON
  • RDF
  • XML
retryStrategy GatewayTargetRetryStrategy If set, failed requests to this target will be retried using the specified retry configurations.

40.20.19.2Example

{
  "id" : "target1",
  "baseUrl" : "http://localhost:8000",
  "headersToForward" : [ "Sample-Header-1", "Sample-Header-2" ],
  "allowedToFail" : true,
  "retryStrategy" : {
    "maxRetries" : 2,
    "backoffStrategy" : "exponential",
    "backoffInterval" : 100,
    "errorRetryClasses" : [ "ca.uhn.fhir.rest.server.exceptions.MethodNotAllowedException" ]
  }
}

40.20.20GatewayTargetRetryStrategy

 

Contains configurations for the retry strategy for this target.

40.20.20.1Properties

Name Type Description
maxRetries Int The number of times to retry on a failed request.
backoffStrategy Enumeration The backoff strategy to use for failed attempts.

Options:

  • EXPONENTIAL
  • LINEAR
backoffInterval Long The backoff interval in milliseconds (defaulted to 1000ms). If an exponential backoff strategy is specified, this is the initial interval.
errorRetryClasses Array<String> The underlying fully qualified (ie, ca.uhn.fhir.rest.server.exceptions.MethodNotAllowedException) error class names to retry on.

40.20.21GatewayTransactionRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR transaction operations.

40.20.21.1Properties

Name Type Description
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.22GatewayUpdateRoute

 

Defines a Smile CDR FHIR Gateway route that services FHIR update operations.

40.20.22.1Properties

Name Type Description
id String A unique ID for this route
resourceTypes Set<String> The resource type (e.g. 'Patient') that this route applies to
targets Array<GatewayRouteTarget> A list of gateway target server IDs that this route should direct operations to
parallel Boolean If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded)

40.20.23GrantedAuthority

 

A granted authority is a single user authority (permission) that has been granted to a user. This authority has a permission name, and optionally an argument.

40.20.23.1Properties

Name Type Description
permission Enumeration The name of the permission. See permissions for information on available permissions.

Options:

  • ACCESS_ADMIN_JSON
  • ACCESS_ADMIN_WEB
  • ACCESS_EASYSHARE
  • ACCESS_FHIRWEB
  • ACCESS_FHIR_ENDPOINT
  • AG_ADMIN_CONSOLE_READ
  • AG_ADMIN_CONSOLE_WRITE
  • AG_DEV_PORTAL_READ
  • AG_DEV_PORTAL_WRITE
  • ARCHIVE_MODULE
  • BATCH_JOB_ANALYTICS
  • BLOCK_FHIR_READ_UNLESS_CODE_IN_VS
  • BLOCK_FHIR_READ_UNLESS_CODE_NOT_IN_VS
  • CDA_IMPORT
  • CHANGE_OWN_DEFAULT_LAUNCH_CONTEXTS
  • CHANGE_OWN_PASSWORD
  • CHANGE_OWN_TFA_KEY
  • CONTROL_MODULE
  • CONTROL_MODULE_FOR_MODULE
  • CREATE_CDA_TEMPLATE
  • CREATE_MODULE
  • CREATE_USER
  • DELETE_CDA_TEMPLATE
  • DOCREF
  • DQM_QPP_BUILD
  • EASYSHARE_CREATE_SMART_HEALTH_LINK
  • EMPI_ADMIN
  • EMPI_UPDATE_MATCH_RULES
  • EMPI_VIEW_MATCH_RULES
  • ETL_IMPORT_PROCESS_FILE
  • FHIR_ACCESS_PARTITION_ALL
  • FHIR_ACCESS_PARTITION_NAME
  • FHIR_ALL_DELETE
  • FHIR_ALL_READ
  • FHIR_ALL_WRITE
  • FHIR_AUTO_MDM
  • FHIR_BATCH
  • FHIR_CAPABILITIES
  • FHIR_DELETE_ALL_IN_COMPARTMENT
  • FHIR_DELETE_ALL_OF_TYPE
  • FHIR_DELETE_CASCADE_ALLOWED
  • FHIR_DELETE_EXPUNGE
  • FHIR_DELETE_TYPE_IN_COMPARTMENT
  • FHIR_DTR_USER
  • FHIR_EMPI_ADMIN
  • FHIR_EXPUNGE_DELETED
  • FHIR_EXPUNGE_EVERYTHING
  • FHIR_EXPUNGE_PREVIOUS_VERSIONS
  • FHIR_EXTENDED_OPERATION_ON_ANY_INSTANCE
  • FHIR_EXTENDED_OPERATION_ON_ANY_INSTANCE_OF_TYPE
  • FHIR_EXTENDED_OPERATION_ON_SERVER
  • FHIR_EXTENDED_OPERATION_ON_TYPE
  • FHIR_EXTENDED_OPERATION_SUPERUSER
  • FHIR_GET_RESOURCE_COUNTS
  • FHIR_GRAPHQL
  • FHIR_LIVEBUNDLE
  • FHIR_MANAGE_PARTITIONS
  • FHIR_MANUAL_VALIDATION
  • FHIR_MDM_ADMIN
  • FHIR_META_OPERATIONS_SUPERUSER
  • FHIR_MODIFY_SEARCH_PARAMETERS
  • FHIR_OP_APPLY
  • FHIR_OP_BINARY_ACCESS_READ
  • FHIR_OP_BINARY_ACCESS_WRITE
  • FHIR_OP_CARE_GAPS
  • FHIR_OP_COLLECTDATA
  • FHIR_OP_CQL
  • FHIR_OP_DATAREQUIREMENTS
  • FHIR_OP_EMPI_CLEAR
  • FHIR_OP_EMPI_DUPLICATE_PERSONS
  • FHIR_OP_EMPI_MERGE_PERSONS
  • FHIR_OP_EMPI_QUERY_LINKS
  • FHIR_OP_EMPI_SUBMIT
  • FHIR_OP_EMPI_UPDATE_LINK
  • FHIR_OP_ENCOUNTER_EVERYTHING
  • FHIR_OP_EVALUATE
  • FHIR_OP_EVALUATE_MEASURE
  • FHIR_OP_EVALUATE_MEASURES
  • FHIR_OP_EXTRACT
  • FHIR_OP_INITIATE_BULK_DATA_EXPORT
  • FHIR_OP_INITIATE_BULK_DATA_EXPORT_ALL_PATIENTS
  • FHIR_OP_INITIATE_BULK_DATA_EXPORT_GROUP
  • FHIR_OP_INITIATE_BULK_DATA_EXPORT_PATIENT
  • FHIR_OP_INITIATE_BULK_DATA_EXPORT_PATIENTS
  • FHIR_OP_INITIATE_BULK_DATA_EXPORT_SYSTEM
  • FHIR_OP_INITIATE_BULK_DATA_IMPORT
  • FHIR_OP_MDM_CLEAR
  • FHIR_OP_MDM_CREATE_LINK
  • FHIR_OP_MDM_DUPLICATE_GOLDEN_RESOURCES
  • FHIR_OP_MDM_LINK_HISTORY
  • FHIR_OP_MDM_MERGE_GOLDEN_RESOURCES
  • FHIR_OP_MDM_NOT_DUPLICATE
  • FHIR_OP_MDM_QUERY_LINKS
  • FHIR_OP_MDM_SUBMIT
  • FHIR_OP_MDM_UPDATE_LINK
  • FHIR_OP_MEMBER_MATCH
  • FHIR_OP_PACKAGE
  • FHIR_OP_PATIENT_EVERYTHING
  • FHIR_OP_PATIENT_EVERYTHING_ACCESS_ALL
  • FHIR_OP_PATIENT_MATCH
  • FHIR_OP_PATIENT_SUMMARY
  • FHIR_OP_POPULATE
  • FHIR_OP_PREPOPULATE
  • FHIR_OP_STRUCTUREDEFINITION_SNAPSHOT
  • FHIR_OP_SUBMIT_DATA
  • FHIR_PATCH
  • FHIR_PROCESS_MESSAGE
  • FHIR_READ_ALL_IN_COMPARTMENT
  • FHIR_READ_ALL_OF_TYPE
  • FHIR_READ_INSTANCE
  • FHIR_READ_SEARCH_PARAMETERS
  • FHIR_READ_TYPE_IN_COMPARTMENT
  • FHIR_TRANSACTION
  • FHIR_TRIGGER_SUBSCRIPTION
  • FHIR_UPDATE_REWRITE_HISTORY
  • FHIR_UPLOAD_EXTERNAL_TERMINOLOGY
  • FHIR_WRITE_ALL_IN_COMPARTMENT
  • FHIR_WRITE_ALL_OF_TYPE
  • FHIR_WRITE_INSTANCE
  • FHIR_WRITE_TYPE_IN_COMPARTMENT
  • HFQL_EXECUTE
  • INVOKE_CDS_HOOKS
  • MANAGE_BATCH_JOBS
  • MDM_ADMIN
  • MDM_UPDATE_MATCH_RULES
  • MDM_VIEW_MATCH_RULES
  • MODULE_ADMIN
  • MODULE_ADMIN_FOR_MODULE
  • OIDC_CLIENT_PRESET_PERMISSION
  • OPENID_CONNECT_ADD_CLIENT
  • OPENID_CONNECT_ADD_SERVER
  • OPENID_CONNECT_EDIT_CLIENT
  • OPENID_CONNECT_EDIT_SERVER
  • OPENID_CONNECT_MANAGE_GLOBAL_SESSIONS
  • OPENID_CONNECT_MANAGE_KEYSTORES
  • OPENID_CONNECT_VIEW_CLIENT_LIST
  • OPENID_CONNECT_VIEW_SERVER_LIST
  • PACKAGE_REGISTRY_READ
  • PACKAGE_REGISTRY_WRITE
  • REINSTATE_MODULE
  • ROLE_ANONYMOUS
  • ROLE_FHIR_CLIENT
  • ROLE_FHIR_CLIENT_SUPERUSER
  • ROLE_FHIR_CLIENT_SUPERUSER_RO
  • ROLE_FHIR_TERMINOLOGY_READ_CLIENT
  • ROLE_MDMUI_ADMIN_FHIR
  • ROLE_MDMUI_DATASTEWARD_FHIR
  • ROLE_SUPERUSER
  • ROLE_SYSTEM
  • ROLE_SYSTEM_INITIALIZATION
  • SAVE_USER
  • START_STOP_MODULE
  • START_STOP_MODULE_FOR_MODULE
  • SUBMIT_ATTACHMENT
  • UPDATE_MODULE_CONFIG
  • UPDATE_MODULE_CONFIG_FOR_MODULE
  • UPDATE_USER
  • USE_CDA_TEMPLATE
  • VIEW_AUDIT_LOG
  • VIEW_BATCH_JOBS
  • VIEW_CDA_TEMPLATE
  • VIEW_METRICS
  • VIEW_MODULE_CONFIG
  • VIEW_MODULE_CONFIG_FOR_MODULE
  • VIEW_MODULE_STATUS
  • VIEW_TRANSACTION_LOG
  • VIEW_TRANSACTION_LOG_EVENT
  • VIEW_USERS
argument String The argument for this authority. Note that some permissions do not take an argument while others require an argument. Consult the permission documentation for more information.

40.20.24Hl7V2GeneratedMessageContext

 

Contains details about a converted/generated HL7 v2.x message

40.20.25Hl7V2ReceivedMessage

 

Contains a received HL7 v2.x Message

40.20.25.1Properties

Name Type Description
received Date (Instant) The time at which this message was received
rawMessage HL7 v2.x Message The actual HL7 message that was received
controlId String The message control ID (MSH-10)
sendingPort Int The port on the remote system from which the message was sent
sendingPort String The host IP of the remote system from which the message was sent
transactionPid Long The PID assigned to this transaction by the transaction log

40.20.26Hl7V2ReceivedMessageConversionResult

 

Contains the result of an HL7 v2.x message runtime mapping or the conversion outcome of an HL7 v2.x message (into a FHIR payload)

40.20.26.1Properties

Name Type Description
doNotProcess Boolean A flag to indicate whether or not a given message should be processed
doNotAutoConvert Boolean A flag to indicate whether or not a given message should be passed through the Smile CDR built-in message translations. Set this to true in order to skip built-in message translation entirely.
transactionBundles Array<FHIR Resource> An array of Bundle resources containing transactions to be submitted to the FHIR server

40.20.26.2Functions

Name Description
addTransaction(theTransaction)
Add a FHIR transaction to process

Return Type: void
Parameter theTransaction: theTransaction
addMessage(thePath, theMessageLevel, theIssue)
This method adds a message to the conversion result. Acceptable message levels are INFO, WARNING, and ERROR

Return Type: void
Parameter thePath: thePath
Parameter theMessageLevel: theMessageLevel
Parameter theIssue: theIssue

40.20.27LaunchContext

 

Represents a SMART launch context that has been assigned to a specific user session. This structure uses launch context type (i.e. patient).

40.20.27.1Properties

Name Type Description
contextType String The launch context type, e.g. "patient" (note the lack of capitalization in SMART launch scope types)
resourceId String The launch context resource ID, e.g. "123" (note that the resource type is not included in the ID)

40.20.28LaunchContextParameter

 

Represent launch context parameters to be added to a specific user session

40.20.28.1Properties

Name Type Description
parameterName String The parameter name (need_patient_banner, smart_style_url)
parameterValue String The parameter value

40.20.29LaunchResourceId

 

Represents a SMART launch context that has been assigned to a specific user session. This structure uses resource type (i.e. Patient).

40.20.29.1Properties

Name Type Description
resourceType String The resource type, e.g. 'Patient'
resourceId String The resource ID, e.g. '123'

40.20.30MegaScaleCredentialRequest

 

Request object for a MegaScale database credential request

40.20.30.1Properties

Name Type Description
partitionId Int The numeric ID for the given partition
partitionName String The name for the given partition

40.20.31MegaScaleCredentialResponse

 

Response object for a MegaScale database credential request

40.20.31.1Properties

Name Type Description
databaseUrl String The JDBC database connection URL
databaseUsername String The JDBC database connection username
databasePassword String The JDBC database connection password
databaseInitializationStatements Array<String> Any statements returned here will be issued to the database as raw SQL if the database is found to be empty, immediately after the Smile CDR database schema is initialized.

40.20.32OAuth2AuthorizationRequestDetails

 

Contains details about an OAuth2/OIDC request in progress

40.20.32.1Properties

Name Type Description
clientId String Contains the authorizing client ID
memberId String The member id obtained from the $member-match operation.
consentResource String The consent resource obtained from the $member-match operation.

40.20.32.2Functions

Name Description
getRequestParameters()
Retrieve all initial OAuth2 authorization request parameters

Return Type: Map<String,String>
addRequestParameter(theName, theValue)
Add a request parameter to the generated access token

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
addAccessTokenClaim(theName, theValue)
Add an additional claim to the generated access token.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
addTokenResponseValue(theName, theValue)
Add an additional key/value pair to the response object for the token request. Unlike addAccessTokenClaim(...), this method does not add the claim to any generated tokens, but instead adds an additional key/value pair to the JSON object used as the Token Response for an Access Token Request. This applies both to interactive/launch flows such as Authorization Code and to non-interactive/system flows such as Client Credentials with JWT Credential.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
getLaunch()
Retrieve the value of the launch URL parameter from the initial OAuth2 authorization request

Return Type: String
setLaunch(theLaunch)
Set the value from launch URL parameter from the initial OAuth2 authorization request

Return Type: void
Parameter theLaunch: theLaunch
getAudience()
Retrieve the initial OAuth2 aud request parameter value

Return Type: String
setAudience(theAudience)
Set the value from aud URL parameter from the initial OAuth2 authorization request

Return Type: void
Parameter theAudience: theAudience
getState()
Retrieve the value of the state URL parameter from the initial OAuth2 authorization request

Return Type: String
setState(theState)
Set the value from state URL parameter from the initial OAuth2 authorization request

Return Type: void
Parameter theState: theState

40.20.33OAuth2Client

 

Represents an OpenID Connect client

40.20.33.1Properties

Name Type Description
moduleId String The Module ID that this client is registered against
nodeId String The Node ID that this client is registered against
userData Map<String,Object> The user data for this session.
pid Long The internal ID for this client.
accessTokenValiditySeconds Int The number of seconds that an access token should be valid once it has been created.
allowedGrantTypes Set<Enumeration> The grant types that this client is permitted to perform. See Authorization Flows for a description of the possible flows.

Options:

  • AUTHORIZATION_CODE
  • CLIENT_CREDENTIALS
  • IMPLICIT
  • JWT_BEARER
  • PASSWORD
  • REFRESH_TOKEN
autoApproveScopes Set<String> Scopes listed here will be automatically approved if requested by the client during the initial authorization request, without requiring the user to explicitly accept them.
autoGrantScopes Set<String> Scopes listed here will be automatically granted during every successful authorization by this client. These scopes do not have to be explicitly requested by the client during the initial authorization request.
clientId String The Client ID (corresponds to the iss field in many OAuth2 exchanges).
clientName String A human friendly description/name for the client.
clientSecrets Array<OAuth2ClientSecret> Optionally contains client secrets to be used by the client in some grant types.
fixedScope Boolean Is this client fixed scope? When authorizing a fixed scope client, the list of scopes requested in the initial authorization request will be ignored, and the complete list of scopes in the Scope property will be assumed. If these scopes are not listed as Auto-Approve, the user will still be required to approve them.
refreshTokenValiditySeconds Int The number of seconds that a refresh token will be valid for.
registeredRedirectUris Set<String> The allowable redirect URIs that may be requested.
scopes Set<String> A list of OAuth2 scopes that the client is allowed to request user approval for.
secretRequired Boolean Is the client secret required in order to authenticate this client?
secretClientCanChange Boolean Can the client change their own secret?
enabled Boolean Is the client enabled?
canIntrospectOwnTokens Boolean Can this client perform token introspection on tokens that it issued?
canIntrospectAnyTokens Boolean Can this client perform token introspecton on any tokens issued by the security module it is registered against?
alwaysRequireApproval Boolean Should the user approval page be displayed even if the client has not requested any scopes that require user approval?
canReissueTokens Boolean Can the OAuth2 server reissue tokens that have been previously issued for this client, if the token request is the same (e.g. for the same user, requesting the same scopes, etc.) and the token is not close to expiry?
permissions Array<GrantedAuthority> Any permission that should be granted directly to the client when it authenticates using the Client Credentials Grant.
rememberApprovedScopes Boolean When a user performs an OAuth2 authentication/authorization flow for this client, should their approved scopes be remembered the next time they authenticate?
attestationAccepted Boolean Has the client developer attested to the policy?
publicJwks String The public JWKS Keystore for this client. Used when the client authenticated using a bearer token.
jwksUrl String A public endpoint location of the JWK Set. If present, this will be used before any public JWKS on the client directly.
archivedAt Date (Instant) The time at which this client was archived, if it has been.
createdByAppSphere Boolean

40.20.33.2Functions

Name Description
addAuthority(thePermission, theArgument)
Add an authority/permission with an argument to the given user

Return Type: void
Parameter thePermission: thePermission
Parameter theArgument: theArgument
addAuthority(thePermission)
Add an authority/permission to the given user

Return Type: void
Parameter thePermission: thePermission
addUserData(theExtraData)
Add all entries to the user data. A null value will be ignored.

Return Type: void
Parameter theExtraData: theExtraData
setUserData(theName, theValue)
Sets a user supplied data value in the session.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
getUserData(theName)
Get a user supplied data value.

Return Type: Object
Parameter theName: theName
clearUserData(theName)
Clear all user data.

Return Type: void
Parameter theName: theName
setUserDataINN(theName, theValue)
Sets a user supplied data value in the session if value is not null.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
hasUserData(theName)
Has user data for name been set?

Return Type: Boolean
Parameter theName: theName
getUserString(theName)
Get a user supplied data value as a string (converting if needed) or null if unset.

Return Type: String
Parameter theName: theName
getUserInt(theName)
Get a user supplied data value as a integer, converting null/unset to 0.

Return Type: Int
Parameter theName: theName

40.20.34OAuth2ClientSecret

 

A client secret for an OAuth2 client

40.20.34.1Properties

Name Type Description
pid Long
secret String
description String
expiration Date (Instant)
activation Date (Instant)

40.20.35OAuth2ClientSession

 

A client session object contains details about an OIDC client's OAuth2 session (i.e. it was accessed via a bearer token that was granted by a SMART Auth server)

40.20.35.1Properties

Name Type Description
moduleId String The Module ID that this client is registered against
nodeId String The Node ID that this client is registered against
userData Map<String,Object> The user data for this session.
pid Long The internal ID for this client.
accessTokenValiditySeconds Int The number of seconds that an access token should be valid once it has been created.
allowedGrantTypes Set<Enumeration> The grant types that this client is permitted to perform. See Authorization Flows for a description of the possible flows.

Options:

  • AUTHORIZATION_CODE
  • CLIENT_CREDENTIALS
  • IMPLICIT
  • JWT_BEARER
  • PASSWORD
  • REFRESH_TOKEN
autoApproveScopes Set<String> Scopes listed here will be automatically approved if requested by the client during the initial authorization request, without requiring the user to explicitly accept them.
autoGrantScopes Set<String> Scopes listed here will be automatically granted during every successful authorization by this client. These scopes do not have to be explicitly requested by the client during the initial authorization request.
clientId String The Client ID (corresponds to the iss field in many OAuth2 exchanges).
clientName String A human friendly description/name for the client.
clientSecrets Array<OAuth2ClientSecret> Optionally contains client secrets to be used by the client in some grant types.
fixedScope Boolean Is this client fixed scope? When authorizing a fixed scope client, the list of scopes requested in the initial authorization request will be ignored, and the complete list of scopes in the Scope property will be assumed. If these scopes are not listed as Auto-Approve, the user will still be required to approve them.
refreshTokenValiditySeconds Int The number of seconds that a refresh token will be valid for.
registeredRedirectUris Set<String> The allowable redirect URIs that may be requested.
scopes Set<String> A list of OAuth2 scopes that the client is allowed to request user approval for.
secretRequired Boolean Is the client secret required in order to authenticate this client?
secretClientCanChange Boolean Can the client change their own secret?
enabled Boolean Is the client enabled?
canIntrospectOwnTokens Boolean Can this client perform token introspection on tokens that it issued?
canIntrospectAnyTokens Boolean Can this client perform token introspecton on any tokens issued by the security module it is registered against?
alwaysRequireApproval Boolean Should the user approval page be displayed even if the client has not requested any scopes that require user approval?
canReissueTokens Boolean Can the OAuth2 server reissue tokens that have been previously issued for this client, if the token request is the same (e.g. for the same user, requesting the same scopes, etc.) and the token is not close to expiry?
permissions Array<GrantedAuthority> Any permission that should be granted directly to the client when it authenticates using the Client Credentials Grant.
rememberApprovedScopes Boolean When a user performs an OAuth2 authentication/authorization flow for this client, should their approved scopes be remembered the next time they authenticate?
attestationAccepted Boolean Has the client developer attested to the policy?
publicJwks String The public JWKS Keystore for this client. Used when the client authenticated using a bearer token.
jwksUrl String A public endpoint location of the JWK Set. If present, this will be used before any public JWKS on the client directly.
archivedAt Date (Instant) The time at which this client was archived, if it has been.
createdByAppSphere Boolean

40.20.35.2Functions

Name Description
addAuthority(thePermission, theArgument)
Add an authority/permission with an argument to the given user

Return Type: void
Parameter thePermission: thePermission
Parameter theArgument: theArgument
addAuthority(thePermission)
Add an authority/permission to the given user

Return Type: void
Parameter thePermission: thePermission
addUserData(theExtraData)
Add all entries to the user data. A null value will be ignored.

Return Type: void
Parameter theExtraData: theExtraData
setUserData(theName, theValue)
Sets a user supplied data value in the session.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
getUserData(theName)
Get a user supplied data value.

Return Type: Object
Parameter theName: theName
clearUserData(theName)
Clear all user data.

Return Type: void
Parameter theName: theName
setUserDataINN(theName, theValue)
Sets a user supplied data value in the session if value is not null.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
hasUserData(theName)
Has user data for name been set?

Return Type: Boolean
Parameter theName: theName
getUserString(theName)
Get a user supplied data value as a string (converting if needed) or null if unset.

Return Type: String
Parameter theName: theName
getUserInt(theName)
Get a user supplied data value as a integer, converting null/unset to 0.

Return Type: Int
Parameter theName: theName

40.20.36OAuth2Clients

 

A collection of OAuth2 clients

40.20.36.1Properties

Name Type Description
clients Array<OAuth2Client>
pageIndex Int
totalPages Int

40.20.36.2Example

{
  "clients" : [ {
    "clientId" : "my-client-id",
    "clientName" : "Sample Client",
    "enabled" : false,
    "allowedGrantTypes" : [ "AUTHORIZATION_CODE", "REFRESH_TOKEN" ],
    "alwaysRequireApproval" : false,
    "attestationAccepted" : false,
    "canIntrospectAnyTokens" : false,
    "canIntrospectOwnTokens" : false,
    "canReissueTokens" : false,
    "clientSecrets" : [ {
      "secret" : "THIS_IS_A_CLIENT_SECRET",
      "expiration" : "2025-12-03T10:54:14.059+00:00",
      "activation" : "2024-12-03T10:54:14.059+00:00"
    } ],
    "createdByAppSphere" : false,
    "fixedScope" : false,
    "registeredRedirectUris" : [ "http://example.com/app-redirect" ],
    "rememberApprovedScopes" : false,
    "scopes" : [ "openid", "patient/*.read", "profile" ],
    "secretClientCanChange" : false,
    "secretRequired" : true
  } ],
  "pageIndex" : 0,
  "totalPages" : 0
}

40.20.37OAuth2Keystore

 

An OAuth2/OIDC Keystore definition

40.20.37.1Properties

Name Type Description
keystoreId String The user specified ID for this keystore.
jsonKeys String JSON blob of keys to use. If filePath is defined, this is ignored.
filePath String A path to the file location that defines the keys. This path uses the format of a Resource Path.

40.20.38OAuth2Keystores

 

A collection of OAuth2/OIDC Keystore definitions

40.20.38.1Properties

Name Type Description
keystores Array<OAuth2Keystore> The keystore definitions

40.20.39OAuth2Server

 

An OAuth2/OpenID Connect server definition

40.20.39.1Properties

Name Type Description
pid Long The internal persistence ID for this provider.
name String A user friendly name/description of this provider.
issuer String The issuer URL.
tokenIntrospectionClientId String The client ID to use when performing token introspection against this provider. The client ID and client secret may also be used for client authentication during code exchange if the federationClientAuthenticationMethod is set to a client secret method.
tokenIntrospectionClientSecret String The client secret to use when performing token introspection against this provider. The client ID and client secret may also be used for client authentication during code exchange if the federationClientAuthenticationMethod is set to a client secret method.
nodeId String The Node ID for the security module that this definition applies to.
moduleId String The security Module ID that this definition applies to.
validationJwkText String A JSON document containing the JWK Set containing the public key used to validate signed tokens issued by this server. This is not required for federated server definitions but is required otherwise.
validationJwkFile String A local file path / classpath to use to supply the JWK Set containing the public key used to validate signed tokens issued by this server. This field applies only to non-federated providers.
federationRegistrationId String A unique identifier for the federation between Smile CDR and the federated provider. If this is left blank, a unique value will be automatically created by Smile CDR. You may choose to use a more descriptive value however, as it will appear in URLs and log statements. Since this value will appear in URL paths, only letters and numbers should be used with no whitespace.
federationRequestScopes String When requesting authorization against the federated provider, this setting controls which OAuth2 scopes will be requested. Note that the scopes requested by the security module from the federated provider are independent from the scopes requested by the SMART application that is authorizing against Smile CDR. In a typical flow, a SMART on FHIR application will request SMART scopes from Smile CDR, and Smile CDR will in turn request a different set of appropriate scopes from the federated provider.
federationAuthorizationUrl String The URL to redirect the requesting user to in order to request user authentication/authorization with the federated provider.
federationTokenUrl String The service URL used by the SMART Outbound Security module for code exchange when requesting a token from the federated provider.
federationUserInfoUrl String The service URL used by the SMART Outbound Security module for requesting user details.
federationJwkSetUrl String The URL from which to obtain the federated provider's token signing public key.
federationAuthScriptText String When using Federated OAuth2/OIDC Login, a script is used to bridge between the user authorization details received from the federated provider and the requested authorization details in the originating SMART on FHIR application. This script is used to assign appropriate permissions and inject any other required details into the user session. It may obtain all required information by inspecting the access token details, or it may make additional service calls to fetch information.
federationUserMappingScriptText String When using Federated OAuth2/OIDC Login, an optional script that is used to create Smile CDR user name from the federated login details.
clientAuthenticationMethod Enumeration The OIDC client authentication mechanism to use during federated OIDC login when performing code exchange between Smile CDR and the federated provider.

Options:

  • CLIENT_SECRET_BASIC
  • CLIENT_SECRET_POST
  • NONE
  • PRIVATE_KEY_JWT
clientAuthenticationKeystoreId String If the client authentication method is set to PRIVATE_KEY_JWT, this property specifies the Keystore ID to use for signing the credential JWT.
fhirEndpointUrl String The FHIR Endpoint URL associated to this OIDC Server. P2P specific-optional
authWellKnownConfigUrl String The auth well-known configuration URL associated to this OIDC Server to retrieve fhir data. P2P specific-optional
notes String Registration URL, etc. P2P specific-optional
customTokenParams String Customized token parameters for this OIDC Server. P2P specific-optional
responseType String The response type for the associated OIDC Server. P2P specific-optional
organizationId String The identification code used to specify an organization or business. (i.e. Payer ID/A five digit standardized industry identify used by payers). P2P specific-optional
audience String The audience parameter. Defines the intended consumer of the token. P2P specific-optional
archivedAt Date (Instant) The time at which this module was archived, if it has been.

40.20.40OAuth2Servers

 

A collection of OAuth2/OpenID Connect server definitions

40.20.40.1Properties

Name Type Description
servers Array<OAuth2Server>
pageIndex Int
totalPages Int

40.20.40.2Example

{
  "servers" : [ {
    "issuer" : "http://idp.example.com",
    "name" : "Acme Identity Provider Corp",
    "tokenIntrospectionClientId" : "my-client-id",
    "tokenIntrospectionClientSecret" : "THIS_IS_A_CLIENT_SECRET"
  } ],
  "pageIndex" : 0,
  "totalPages" : 0
}

40.20.41OAuth2SmartContextSelectionChoicePerson

 

A person to use as an option for context selection.

40.20.41.1Properties

Name Type Description
familyName String
givenName String
birthDate String The birth date associated with this person. Note that element is treated as a freetext string, and any format is accepted.
userData Map<String,Object> The user data for this person.
id String A unique ID for the person entry. This property is set automatically and can not be changed.
associatedPatientContextResourceId String
associatedAuthorities Array<GrantedAuthority>
autoGrantScopes Set<String> The auto granted scopes for this person
requestedScopes Set<String> The requested scopes for this person

40.20.41.2Functions

Name Description
addAutoGrantScopes(theScopes)
Add auto-grant scopes that will be not be shown to the user. Supports multiple whitespace separated scopes.

Return Type: void
Parameter theScopes: theScopes
addRequestedScopes(theScopes)
Add scopes to the client request for approval by the user. Supports multiple whitespace separated scopes.

Return Type: void
Parameter theScopes: theScopes
removeAutoGrantScopes(theScopes)
Remove auto-grant scopes that will be not be shown to the user. Supports multiple whitespace separated scopes.

Return Type: void
Parameter theScopes: theScopes
removeRequestedScopes(theScopes)
Remove scopes to the client request for approval by the user. Supports multiple whitespace separated scopes.

Return Type: void
Parameter theScopes: theScopes
addUserData(theExtraData)
Add all entries to the user data. A null value will be ignored.

Return Type: void
Parameter theExtraData: theExtraData
setUserData(theName, theValue)
Sets a user supplied data value in the session.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
getUserData(theName)
Get a user supplied data value.

Return Type: Object
Parameter theName: theName
clearUserData(theName)
Clear all user data.

Return Type: void
Parameter theName: theName
setUserDataINN(theName, theValue)
Sets a user supplied data value in the session if value is not null.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
hasUserData(theName)
Has user data for name been set?

Return Type: Boolean
Parameter theName: theName
getUserString(theName)
Get a user supplied data value as a string (converting if needed) or null if unset.

Return Type: String
Parameter theName: theName
getUserInt(theName)
Get a user supplied data value as a integer, converting null/unset to 0.

Return Type: Int
Parameter theName: theName
addAuthority(thePermission, theArgument)
Add an authority/permission with an argument to the given user

Return Type: void
Parameter thePermission: thePermission
Parameter theArgument: theArgument
addAuthority(thePermission)
Add an authority/permission to the given user

Return Type: void
Parameter thePermission: thePermission

40.20.42OAuth2SmartContextSelectionChoices

 

This object represents a set of context choices that can be selected from by a user authorizing an app via the SMART Outbound Security module.

40.20.42.1Properties

Name Type Description
persons Array<OAuth2SmartContextSelectionChoicePerson> persons
customScopeDisplay Map<String,String> Custom Scope Display

40.20.42.2Functions

Name Description
addPerson()
Adds and returns a person object

Return Type: OAuth2SmartContextSelectionChoicePerson
haveChoices()
Returns true if one or more persons has been added to this object

Return Type: Boolean
addDisplayTranslation(theScope, theDisplayText)
Add custom display name for the scope

Return Type: void
Parameter theScope: theScope
Parameter theDisplayText: theDisplayText

40.20.43Oauth2InvalidateTokensResponseJson

 

Response object when invalidating OpenID Connect tokens

40.20.43.1Properties

Name Type Description
accessTokenCount Int The count of invalidated access tokens
refreshTokenCount Int The count of invalidated refresh tokens

40.20.44PackageInstallationSpec

 

Defines a set of instructions for package installation

40.20.44.1Properties

Name Type Description
packageUrl String The direct package URL
name String The NPM package Name
version String The direct package version
installMode Enumeration Should resources from this package be extracted from the package and installed into the repository individually

Options:

  • STORE_AND_INSTALL
  • STORE_ONLY
installResourceTypes Array<String> If resources are being installed individually, this is list provides the resource types to install. By default, all conformance resources will be installed.
fetchDependencies Boolean Should dependencies be automatically resolved, fetched and installed with the same settings
reloadExisting Boolean Should existing resources be reloaded. Defaults to true, but can be set to false to avoid re-index operations for existing search parameters

40.20.44.2Example

{
  "name" : "hl7.fhir.us.core",
  "version" : "3.1.0",
  "installMode" : "STORE_ONLY",
  "reloadExisting" : true,
  "fetchDependencies" : true
}

40.20.44.3Example

{
  "name" : "com.example.my-resources",
  "version" : "1.0",
  "packageUrl" : "classpath:/my-resources.tgz",
  "installMode" : "STORE_AND_INSTALL",
  "installResourceTypes" : [ "Organization", "Medication", "PlanDefinition", "SearchParameter" ],
  "reloadExisting" : true,
  "fetchDependencies" : false
}

40.20.45PartitionDefinition

 

A partition definition

40.20.45.1Properties

Name Type Description
id Int
name String
description String

40.20.46PartitionDefinitions

 

A collections of partition definitions

40.20.46.1Properties

Name Type Description
partitions Array<PartitionDefinition>

40.20.46.2Example

{
  "partitions" : [ {
    "id" : 1,
    "name" : "Partition-A",
    "description" : "The first partition"
  }, {
    "id" : 2,
    "name" : "Partition-B",
    "description" : "The second partition"
  } ]
}

40.20.47RequestDetailsJson

 

This object contains details about a FHIR request at runtime

40.20.47.1Properties

Name Type Description
approvedScopes Set<String>
tenantId String
compartmentName String
completeUrl String
fhirServerBase String
id String
operation String
requestPath String
requestType Enumeration

Options:

  • CONNECT
  • DELETE
  • GET
  • HEAD
  • OPTIONS
  • PATCH
  • POST
  • PUT
  • TRACE
  • TRACK
resourceName String
respondGzip Boolean
restOperationType Enumeration

Options:

  • ADD_TAGS
  • BATCH
  • CREATE
  • DELETE
  • DELETE_TAGS
  • EXTENDED_OPERATION_INSTANCE
  • EXTENDED_OPERATION_SERVER
  • EXTENDED_OPERATION_TYPE
  • GET_PAGE
  • GET_TAGS
  • GRAPHQL_REQUEST
  • HISTORY_INSTANCE
  • HISTORY_SYSTEM
  • HISTORY_TYPE
  • META
  • METADATA
  • META_ADD
  • META_DELETE
  • PATCH
  • READ
  • SEARCH_SYSTEM
  • SEARCH_TYPE
  • TRANSACTION
  • UPDATE
  • UPDATE_REWRITE_HISTORY
  • VALIDATE
  • VREAD
secondaryOperation String
subRequest Boolean

40.20.47.2Functions

Name Description
getParameters(theParameterName)
Returns an array of URL values for the given parameter

Return Type: Array<String>
Parameter theParameterName: theParameterName
getHeader(theHeaderName)
Returns an array of HTTP header values for the given key

Return Type: Array<String>
Parameter theHeaderName: theHeaderName

40.20.48ScriptAuthenticationOutcomeFactory

 

This object is used by authorization scripts to create success or failure objects to be returned by the script function.

40.20.48.1Functions

Name Description
newSuccess()
This method creates a successful response that can be populated by the script, and then returned by the function.

Return Type: UserSessionDetails
newFailure()
This method creates a failure response that can be populated by the script, and then returned by the function.

Return Type: AuthenticationFailure

40.20.49ScriptConsentContextServices

 

This object is passed to consent services scripts to provide context services

40.20.49.1Functions

Name Description
proceed()
Advise the consent service that this operation should proceed (i.e. the operation will not be rejected, and the consent service will continue to evaluate)

Return Type: void
reject()
Advise the consent service that this operation should be rejected

Return Type: void
authorized()
Advise the consent service that this operation should be authorized (i.e. no further checking should occur)

Return Type: void

40.20.50SecurityInLdapAuthenticationContext

 

Provides details and functions around the context of an authentication using the LDAP Inbound Security module. Objects of this type inherit all properties of their ancestor type AuthenticationContext.

40.20.50.1Properties

Name Type Description
nodeId String The node ID associated with the request
moduleId String The module ID associated with the request
startTime Date (Instant) The time at which the initial HTTP request was received
remoteAddress String The IP address of the remote party to invoke the service
remoteScheme String The protocol used by the remote party to invoke the service (will generally be http or https)
headers Map<String,String> The headers associated with the request

40.20.50.2Functions

Name Description
getStringAttributes(theAttributeName)
Fetch string attribute values for the given attribute name in LDAP for the authenticated user

Return Type: Array<String>
Parameter theAttributeName: theAttributeName
isMemberOfGroup(theGroupDn, theMemberAttribute)
Return true if the authenticated user is in the given group

Return Type: Boolean
Parameter theGroupDn: theGroupDn
Parameter theMemberAttribute: theMemberAttribute
isMemberOfGroup(theGroupDn)
Return true if the authenticated user is in the given group using member as membership attribute

Return Type: Boolean
Parameter theGroupDn: theGroupDn
isMemberOfGroup(theGroupDn, theMemberAttribute, theSearchBaseDn)
Return true if the authenticated user is in the given group. LDAP static groups with class:groupOfNames use member to enumerate members. This is the default value for theMemberAttribute.But if the group is defined differently (e.g. groupOfUniqueNames uses uniqueMember), pass that attribute name as theMemberAttribute.Use theSearchBaseDn to (optionally) scope the search for groups.

Return Type: Boolean
Parameter theGroupDn: theGroupDn
Parameter theMemberAttribute: theMemberAttribute
Parameter theSearchBaseDn: theSearchBaseDn
queryStringAttributes(theAttributeName)
Query string attribute values for the given attribute name in LDAP for the authenticated user.Useful for fetching dynamic attributes not loaded during the authentication bind.

Return Type: Array<String>
Parameter theAttributeName: theAttributeName

40.20.51SecurityInSmartAuthenticationContext

 

Provides the context for the onAuthenticateSuccess callback method on the SMART Inbound Security module. Objects of this type inherit all properties of their ancestor type AuthenticationContext.

40.20.51.1Properties

Name Type Description
nodeId String The node ID associated with the request
moduleId String The module ID associated with the request
startTime Date (Instant) The time at which the initial HTTP request was received
remoteAddress String The IP address of the remote party to invoke the service
remoteScheme String The protocol used by the remote party to invoke the service (will generally be http or https)
headers Map<String,String> The headers associated with the request

40.20.51.2Functions

Name Description
getClaim(theName)
This function gets any claim in the claims map, returning the JSON value found there. If no claim exists with the given name, null is returned.

Return Type: Object
Parameter theName: theName
getStringClaim(theName)
This function returns the claim contained within the encoded ID token JWT. The claim value is expected to be a string.

Return Type: String
Parameter theName: theName
getClaims()
This function gets all claims from the token as a claims map.

Return Type: Map<String,Object>
getApprovedScopes()
This function returns an array of the approved scopes

Return Type: Set<String>
hasApprovedScope(theScope)
This function returns true if the session has been approved for the given OAuth2 scope

Return Type: Boolean
Parameter theScope: theScope
getStringArrayClaim(theName)
This function returns the claim contained within the encoded ID token JWT. The claim value is expected to be an array of strings.

Return Type: Array<String>
Parameter theName: theName

40.20.52SmartCodapAuthorizationRequest

 

This object is passed to the SMART Cross-Organization Data Access Profile authorization callback script

40.20.52.1Properties

Name Type Description
requestingPractitioner FHIR Resource
requestedRecord FHIR Resource
reasonForRequest String
clientId String
scope Set<String>
rawAuthorizationToken String
rawAuthenticationToken String

40.20.53SmartOnPostAuthorizeDetails

 

This class represents a completed SMART Authorization. It contains details about the authorization, what was granted, who it was granted to, etc.

40.20.53.1Properties

Name Type Description
grantType String
accessToken String
grantedScopes Set<String>
expiration Date (Instant)
requestingPractitioner FHIR Resource
requestedRecord FHIR Resource
refreshToken String

40.20.54SmartScopeAuthorityNarrowingResult

 

This object is used as an argument to the onSmartScopeAuthorityNarrowing(...) function, which is invoked after SMART scopes have been applied to narrow a user/client's session permissions.

40.20.54.1Functions

Name Description
hasScope(theScope)
Checks whether the given scope has been authorized for the current session, either because it was requested and approved, or because it was automatically granted.

Return Type: Boolean
Parameter theScope: theScope
hasInputAuthority(thePermissionName)
Tests whether an authority was present on the session prior to any scope-based narrowing.

Return Type: Boolean
Parameter thePermissionName: thePermissionName
hasInputAuthority(thePermissionName, theArgument)
Tests whether an authority was present on the session prior to any scope-based narrowing.

Return Type: Boolean
Parameter thePermissionName: thePermissionName
Parameter theArgument: theArgument
hasOutputAuthority(thePermissionName)
Tests whether an authority was present on the session after any scope-based narrowing.

Return Type: Boolean
Parameter thePermissionName: thePermissionName
hasOutputAuthority(thePermissionName, theArgument)
Tests whether an authority was present on the session after any scope-based narrowing.

Return Type: Boolean
Parameter thePermissionName: thePermissionName
Parameter theArgument: theArgument
addOutputAuthority(thePermissionName, theArgument)
Adds a new authority to the collection of authorities that will ultimately be approved for the session.

Return Type: void
Parameter thePermissionName: thePermissionName
Parameter theArgument: theArgument
addOutputAuthority(thePermissionName)
Adds a new authority to the collection of authorities that will ultimately be approved for the session.

Return Type: void
Parameter thePermissionName: thePermissionName
removeOutputAuthority(thePermissionName, theArgument)
Removes an authority to the collection of authorities that will ultimately be approved for the session.

Return Type: void
Parameter thePermissionName: thePermissionName
Parameter theArgument: theArgument
removeOutputAuthority(thePermissionName)
Removes an authority to the collection of authorities that will ultimately be approved for the session.

Return Type: void
Parameter thePermissionName: thePermissionName

40.20.55UserDetails

 

A user definition

40.20.55.1Properties

Name Type Description
accountDisabled Boolean
notes String
email String
accountExpiry Date (Instant)
accountLocked Boolean
failedLoginAttempts Int
authorities Array<GrantedAuthority>
associatedResources Array<AssociatedResource> A collection of "associated resource" IDs. Associated resources are FHIR resources with some connection to the given user, such as a Patient or Practitioner resource representing the actual user.
credentialExpiry Date (Instant)
familyName String
givenName String
lastActive Date (Instant) The date at which the user account was last used. Note that this property is read-only, and is only updated once per day, so it is accurate only to the date.
lastConnected Date (Instant) The date at which the user last logged in. This property is read-only and is accurate to the minute.
moduleId String The module ID associated with this user account. This is the module ID associated with the Inbound Security module that is responsible for authenticating this user.
nodeId String The node ID associated with this user. This is the master node ID associated with the Inbound Security module that is responsible for authenticating this user.
password String The user password (note that this property will not be populated when sessions are made available to user code)
pid Long The PID (internal ID) for this user
username String The username for this user
usernameNamespace String The username namespace associated with this user
systemUser Boolean If this is set, the user cannot be renamed or deleted (this property may only be set by the system)
external Boolean If this value is set, the user is backed by an external user directory (this property may only be set by the system)
defaultLaunchContexts Array<LaunchContext> The SMART launch contexts associated with this account
serviceAccount Boolean
twoFactorAuthStatus Enumeration

Options:

  • KEY_DEFINED_UNCONFIRMED
  • NO_KEY_DEFINED
  • TOTP_ENABLED

40.20.55.2Functions

Name Description
hasAuthority(thePermission)
Does the user have the given permission?

Return Type: Boolean
Parameter thePermission: thePermission
getOrCreateDefaultLaunchContext(theContextType, theIndex)
Returns the first default launch context for the given type, creating one if none exists

Return Type: LaunchContext
Parameter theContextType: theContextType
Parameter theIndex: theIndex
getOrCreateDefaultLaunchContext(theContextType)
Returns the first default launch context for the given type, creating one if none exists

Return Type: LaunchContext
Parameter theContextType: theContextType
addAuthority(thePermission, theArgument)
Add an authority/permission with an argument to the given user

Return Type: void
Parameter thePermission: thePermission
Parameter theArgument: theArgument
addAuthority(thePermission)
Add an authority/permission to the given user

Return Type: void
Parameter thePermission: thePermission

40.20.56UserDetailsChangeLaunchContextJson

 

Input type for a user update to the launch context(s) associated with their account.

40.20.56.1Properties

Name Type Description
contexts Array<LaunchContext>

40.20.56.2Example

{
  "contexts" : [ {
    "contextType" : "patient",
    "resourceId" : "Patient/123"
  } ]
}

40.20.57UserDetailsList

 

A collection of users

40.20.57.1Properties

Name Type Description
users Array<UserDetails>

40.20.58UserDetailsOAuth2AllClientApprovals

 

Contains the list of clients for which a user has current OAuth2 sessions (access and refresh tokens) or remembered scopes.

40.20.58.1Properties

Name Type Description
clients Array<UserDetailsOAuth2ClientApprovals>

40.20.59UserDetailsOAuth2ClientApprovals

 

Contains the details of an individual client for which a user has approved scopes and/or active tokens.

40.20.59.1Properties

Name Type Description
clientNodeId String
clientModuleId String
clientId String
clientName String
approvedScopes Array<UserDetailsOAuth2ClientApprovalsApprovedScope>

40.20.60UserDetailsOAuth2ClientApprovalsApprovedScope

 

Contains the details of an approved scope for a given user and client.

40.20.60.1Properties

Name Type Description
scope String
description String

40.20.61UserSessionDetails

 

A user session details object contains details about a logged in user and a specific session they have established with the authorization server.

40.20.61.1Properties

Name Type Description
launchContextParameters Array<LaunchContextParameter> Specifies the parameters that will be returned to the user as launch context if the SMART authorization flow requests a launch context
launchResourceIds Array<LaunchResourceId> Specifies the IDs that will be returned to the user as launch context if the SMART authorization flow requests a launch context
fhirContext Array<FhirContextEntry> Specifies the components of the fhirContext, including a reference or a reference/role pair.
approvedScopes Set<String> If the session is an OAuth2 session (i.e. it is accessed via a bearer token that was granted by a SMART Auth server) this field will be populated with the set of scopes that were approved for the client
oidcClientId String If the session is an OAuth2 session (i.e. it is accessed via a bearer token that was granted by a SMART Auth server) this field will be populated with the id of the client.
oidcClientNodeId String The node ID associated with OIDC client of this user.
oidcClientModuleId String The module ID associated with the OIDC client of this user account.
userData Map<String,Object> The user data for this session.
fhirUserUrl String Specifies the FHIR Resource URL associated with this user session. This value will be used to provide the fhirUser claim in returned ID Tokens, and is not used for other purposes.
accountDisabled Boolean
notes String
email String
accountExpiry Date (Instant)
accountLocked Boolean
failedLoginAttempts Int
authorities Array<GrantedAuthority>
associatedResources Array<AssociatedResource> A collection of "associated resource" IDs. Associated resources are FHIR resources with some connection to the given user, such as a Patient or Practitioner resource representing the actual user.
credentialExpiry Date (Instant)
familyName String
givenName String
lastActive Date (Instant) The date at which the user account was last used. Note that this property is read-only, and is only updated once per day, so it is accurate only to the date.
lastConnected Date (Instant) The date at which the user last logged in. This property is read-only and is accurate to the minute.
moduleId String The module ID associated with this user account. This is the module ID associated with the Inbound Security module that is responsible for authenticating this user.
nodeId String The node ID associated with this user. This is the master node ID associated with the Inbound Security module that is responsible for authenticating this user.
password String The user password (note that this property will not be populated when sessions are made available to user code)
pid Long The PID (internal ID) for this user
username String The username for this user
usernameNamespace String The username namespace associated with this user
systemUser Boolean If this is set, the user cannot be renamed or deleted (this property may only be set by the system)
external Boolean If this value is set, the user is backed by an external user directory (this property may only be set by the system)
defaultLaunchContexts Array<LaunchContext> The SMART launch contexts associated with this account
serviceAccount Boolean
twoFactorAuthStatus Enumeration

Options:

  • KEY_DEFINED_UNCONFIRMED
  • NO_KEY_DEFINED
  • TOTP_ENABLED

40.20.61.2Functions

Name Description
getFhirContext()
Provides the fhirContext entries with this session

Return Type: Array<FhirContextEntry>
getLaunchResourceIds()
Provides the launch context resource IDs associated with this session

Return Type: Array<LaunchResourceId>
getLaunchContextParameters()
Provides the launch context parameters associated with this session

Return Type: Array<LaunchContextParameter>
getLaunchResourceIdsForResourceType(theResourceType)
Provides the launch context resource IDs associated with this session for a given resource type, returning an array of LaunchResourceId objects.

Return Type: Array<LaunchResourceId>
Parameter theResourceType: theResourceType
addLaunchResourceId(theResourceType, theResourceId)
Adds a launch context resource id

Return Type: void
Parameter theResourceType: theResourceType
Parameter theResourceId: theResourceId
addUserData(theKey, theValue)
Add user data to the session. Custom user data can be added for use within the system or in interceptors.

Return Type: void
Parameter theKey: theKey
Parameter theValue: theValue
addApprovedScope(theScope)
Add an approved scope to the session

Return Type: void
Parameter theScope: theScope
removeApprovedScope(theScope)
Remove an approved scope to the session. This method has no effect if the given scope is not in the existing approved scope list.

Return Type: void
Parameter theScope: theScope
addFhirContextReference(theReference)
Adds a Smart fhirContext entry containing only the reference

Return Type: void
Parameter theReference: theReference
addFhirContextReference(theReference, theRole)
Adds a Smart fhirContext entry containing the reference and role

Return Type: void
Parameter theReference: theReference
Parameter theRole: theRole
getLaunchResourceIdForResourceType(theResourceType)
Provides a single launch context resource ID associated with this session for a given resource type, returning the resource ID (e.g. 123) or null if none are found.

Return Type: String
Parameter theResourceType: theResourceType
addLaunchContextParameter(theParameterName, theParameterValue)
Adds a launch context parameter name/value pair

Return Type: void
Parameter theParameterName: theParameterName
Parameter theParameterValue: theParameterValue
hasAuthority(thePermission)
Does the user have the given permission?

Return Type: Boolean
Parameter thePermission: thePermission
getOrCreateDefaultLaunchContext(theContextType, theIndex)
Returns the first default launch context for the given type, creating one if none exists

Return Type: LaunchContext
Parameter theContextType: theContextType
Parameter theIndex: theIndex
getOrCreateDefaultLaunchContext(theContextType)
Returns the first default launch context for the given type, creating one if none exists

Return Type: LaunchContext
Parameter theContextType: theContextType
addAuthority(thePermission, theArgument)
Add an authority/permission with an argument to the given user

Return Type: void
Parameter thePermission: thePermission
Parameter theArgument: theArgument
addAuthority(thePermission)
Add an authority/permission to the given user

Return Type: void
Parameter thePermission: thePermission
addUserData(theExtraData)
Add all entries to the user data. A null value will be ignored.

Return Type: void
Parameter theExtraData: theExtraData
setUserData(theName, theValue)
Sets a user supplied data value in the session.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
getUserData(theName)
Get a user supplied data value.

Return Type: Object
Parameter theName: theName
clearUserData(theName)
Clear all user data.

Return Type: void
Parameter theName: theName
setUserDataINN(theName, theValue)
Sets a user supplied data value in the session if value is not null.

Return Type: void
Parameter theName: theName
Parameter theValue: theValue
hasUserData(theName)
Has user data for name been set?

Return Type: Boolean
Parameter theName: theName
getUserString(theName)
Get a user supplied data value as a string (converting if needed) or null if unset.

Return Type: String
Parameter theName: theName
getUserInt(theName)
Get a user supplied data value as a integer, converting null/unset to 0.

Return Type: Int
Parameter theName: theName