46.20.1Callback Models
This page describes various models that are available within different Smile CDR JavaScript callback functions. See individual module documentation for a description of how these objects are used.
46.20.2AssociatedResource
This structure represents a link between a user in the auth database and a resource in the FHIR database. This can be used, for example, to specify that a particular user is a specific Patient in the CDR. That linkage can then be applied in order to make security/permission decisions.
46.20.2.1Properties
| Name | Type | Description | |
| type | Enumeration |
The relationship between the user and the resource
Options:
|
|
| resourceId | String | The resource ID itself, e.g. 'Patient/123' |
46.20.3AuthenticationContext
Provides details about the context in which an authentication occurred. See onAuthenticateSuccess for information.
46.20.3.1Properties
| Name | Type | Description | |
| nodeId | String | The node ID associated with the request | |
| moduleId | String | The module ID associated with the request | |
| startTime | Date (Instant) | The time at which the initial HTTP request was received | |
| remoteAddress | String | The IP address of the remote party to invoke the service | |
| remoteScheme | String |
The protocol used by the remote party to invoke the service (will generally be http or https)
|
|
| headers | Map<String,String> | The headers associated with the request |
46.20.4AuthenticationFailure
This method represents a failed authentication attempt, and is returned by an authorization callback script.
46.20.4.1Properties
| Name | Type | Description | |
| message | String | ||
| unknownUsername | Boolean | ||
| incorrectPassword | Boolean |
46.20.5AuthenticationRequest
This object contains the credentials supplied by a client for authentication purposes
46.20.5.1Properties
| Name | Type | Description | |
| username | String | The username | |
| password | String | The password | |
| remoteAddress | String | The IP address of the client | |
| headers | Map<String,String> | The HTTP headers associated with the request |
46.20.6ClientCredentialsAuthenticationRequest
Contains attributes related to an OIDC client credentials grant request.
46.20.6.1Properties
| Name | Type | Description | |
| jwtClaims | Map<String,Object> |
46.20.7CsvProcessorContext
Contains context information passed into the ETL Import module mapping script
46.20.7.1Properties
| Name | Type | Description | |
| userJobType | String | This field can contain an arbitrary token supplied by the client that initiated the job | |
| filename | String | This field can contain the filename of the specific file being imported |
46.20.7.2Functions
| Name | Description | |
| getProcessingThreadNumber() |
Returns the processing thread number. This will be an integer between 0 and the maximum number of processing threads
Return Type: Int |
|
| lock(theKey) |
Attempt to obtain and lock an arbitrary named semaphore. This can be used to guarantee that two row processors do not attempt to operate on the same underlying resource at the same time by ensuring that one completes before another attempts to commit its own transaction.
Return Type: void Parameter theKey: The semaphore key. Can be any string. |
46.20.8FhirContextEntry
This structure represents an entry that captures a single entry in fhirContext, which can be either be a reference only (ex: "PractitionerRole/123") or a reference/role pair (ex: "List/123", "role": "https://example.org/med-list-at-home"). A reference is commonly to a FHIR resource and a role is an optional property with a URI identifying the role. The entire fhirContext is encoded in the access token and used by the relevant Smart application.
46.20.8.1Properties
| Name | Type | Description | |
| reference | String | The reference to a resource, e.g. 'PractitionerRole/123' | |
| role | String | The role, e.g. 'https://example.org/med-list-at-home' |
46.20.9FhirEndpointTerminologyResponseMappingSpec
Defines a response terminology mapping specification for a FHIR Endpoint module
46.20.9.1Properties
| Name | Type | Description | |
| systems | Array<FhirEndpointTerminologyResponseMappingSpecSystem> |
46.20.9.2Example
{
"systems" : [ {
"sourceSystemUri" : "http://example.com/lab_codes",
"targetSystemUri" : "http://loinc.org"
}, {
"sourceSystemUri" : "http://example.com/anatomy",
"targetSystemUri" : "http://snomed.info"
} ]
}46.20.10FhirEndpointTerminologyResponseMappingSpecSystem
A code system entry for a FhirEndpointTerminologyResponseMappingSpec object
46.20.10.1Properties
| Name | Type | Description | |
| sourceSystemUri | String | ||
| targetSystemUri | String |
46.20.11GatewayConfiguration
This is the outer document element containing configuration for the Smile CDR FHIR Gateway module.
46.20.11.1Properties
| Name | Type | Description | |
| targets | Array<GatewayTarget> | ||
| searchRoutes | Array<GatewaySearchRoute> | ||
| readRoutes | Array<GatewayReadRoute> | ||
| operationRoutes | Array<GatewayOperationRoute> | ||
| updateRoutes | Array<GatewayUpdateRoute> | ||
| createRoutes | Array<GatewayCreateRoute> | ||
| deleteRoutes | Array<GatewayDeleteRoute> | ||
| transactionRoutes | Array<GatewayTransactionRoute> | ||
| historyRoutes | Array<GatewayHistoryRoute> |
46.20.11.2Example
{
"targets" : [ {
"id" : "target1",
"baseUrl" : "http://fhir1.example.com/api",
"resourceIdPrefix" : "TGT1-"
}, {
"id" : "target2",
"baseUrl" : "http://fhir2.example.com/api",
"resourceIdPrefix" : "TGT2-"
} ],
"searchRoutes" : [ {
"id" : "route1",
"resourceTypes" : [ "Observation", "Patient", "Encounter" ],
"targets" : [ {
"targetId" : "target1"
}, {
"targetId" : "target2"
} ],
"parallel" : true,
"disablePaging" : false
} ]
}46.20.12GatewayCreateRoute
Defines a Smile CDR FHIR Gateway route that services FHIR create operations.
46.20.12.1Properties
| Name | Type | Description | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.13GatewayDeleteRoute
Defines a Smile CDR FHIR Gateway route that services FHIR delete operations.
46.20.13.1Properties
| Name | Type | Description | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.14GatewayHistoryRoute
Defines a Smile CDR FHIR Gateway route that services FHIR history operations.
46.20.14.1Properties
| Name | Type | Description | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.15GatewayOperation
Defines FHIR Operation that can be called through the Smile CDR Gateway
46.20.15.1Properties
| Name | Type | Description | |
| name | String | The name of the FHIR operation | |
| system | Boolean | This operation can be called at the system level | |
| type | Boolean | This operation can be called on a FHIR resource type | |
| instance | Boolean | This operation can be called on a FHIR resource instance |
46.20.16GatewayOperationRoute
Defines a Smile CDR FHIR Gateway route that services FHIR operations
46.20.16.1Properties
| Name | Type | Description | |
| operations | Array<GatewayOperation> | The operations that this route applies to | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.17GatewayReadRoute
Defines a Smile CDR FHIR Gateway route that services FHIR read and vread operations
46.20.17.1Properties
| Name | Type | Description | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.18GatewayRouteTarget
Defines a target association for a Smile CDR FHIR Gateway route
46.20.18.1Properties
| Name | Type | Description | |
| targetId | String | The ID of the target server |
46.20.19GatewaySearchRoute
Defines a Smile CDR FHIR Gateway route that services FHIR search operations
46.20.19.1Properties
| Name | Type | Description | |
| disablePaging | Boolean | Responses for this route should not include paging links | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.20GatewayTarget
Contains the definition for an individual Smile CDR FHIR Gateway target server
46.20.20.1Properties
| Name | Type | Description | |
| id | String | An internal ID for the target server | |
| baseUrl | String | The base URL for the target server | |
| fixedEndpointUrl | String | If specified, will create a mapping between the baseUrl of the target, and this endpoint. When a bundle link is received that refers to this fixed endpoint, we will associate it to this target. | |
| httpBasicCredentials | String |
If specified, these credentials (in the form username:password) will be passed in all client requests to the target server
|
|
| connectTimeoutMillis | Int | Specifies a connection timeout (in millis) to use for communication with the target server. Default is 60000 | |
| socketTimeoutMillis | Int | Specifies a socket timeout (in millis) to use for communication with the target server. Default is 60000 | |
| clientInterceptorClasses | String | If specified, signals to FHIR Gateway to load a comma-delimited list of CLIENT_RESPONSE interceptor classes that will allow the user to overwrite the HTTP response | |
| resourceIdPrefix | String | If specified, provides a prefix that will be added to all resource IDs and local references for the target server before returning to the client | |
| useHttpPostForAllSearches | Boolean |
If set to true, FHIR search and paging operations against the target server will be performed using an HTTP POST instead of a GET. Default is false
|
|
| serverCapabilityStatementValidationEnabled | Boolean |
If set to false, FHIR Gateway will not validate the target server's CapabilityStatement with a request to /metadata. Default is true
|
|
| alternateValidationPath | String | An alternate validation path which can be used to validate the target server using a HTTP GET request. | |
| headersToForward | Array<String> | Any headers specified by name will be copied from the incoming client request and added to requests to the target server | |
| allowedToFail | Boolean |
If set to true, FHIR search operations against the target server that fail will not return an error to the client, unless all targets for a given request have failed. This flag does not apply to read routes. Default is false
|
|
| forcedEncoding | Enumeration |
If set, any requests containing a payload will have their payload re-encoded to the defined content-type before being forwarded to the target server
Options:
|
|
| retryStrategy | GatewayTargetRetryStrategy | If set, failed requests to this target will be retried using the specified retry configurations. |
46.20.20.2Example
{
"id" : "target1",
"baseUrl" : "http://localhost:8000",
"headersToForward" : [ "Sample-Header-1", "Sample-Header-2" ],
"allowedToFail" : true,
"retryStrategy" : {
"maxRetries" : 2,
"backoffStrategy" : "exponential",
"backoffInterval" : 100,
"errorRetryClasses" : [ "ca.uhn.fhir.rest.server.exceptions.MethodNotAllowedException" ]
}
}46.20.21GatewayTargetRetryStrategy
Contains configurations for the retry strategy for this target.
46.20.21.1Properties
| Name | Type | Description | |
| maxRetries | Int | The number of times to retry on a failed request. | |
| backoffStrategy | Enumeration |
The backoff strategy to use for failed attempts.
Options:
|
|
| backoffInterval | Long | The backoff interval in milliseconds (defaulted to 1000ms). If an exponential backoff strategy is specified, this is the initial interval. | |
| errorRetryClasses | Array<String> | The underlying fully qualified (ie, ca.uhn.fhir.rest.server.exceptions.MethodNotAllowedException) error class names to retry on. |
46.20.22GatewayTransactionRoute
Defines a Smile CDR FHIR Gateway route that services FHIR transaction operations.
46.20.22.1Properties
| Name | Type | Description | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.23GatewayUpdateRoute
Defines a Smile CDR FHIR Gateway route that services FHIR update operations.
46.20.23.1Properties
| Name | Type | Description | |
| id | String | A unique ID for this route | |
| resourceTypes | Set<String> | The resource type (e.g. 'Patient') that this route applies to | |
| targets | Array<GatewayRouteTarget> | A list of gateway target server IDs that this route should direct operations to | |
| parallel | Boolean | If the search needs to invoke multiple target endpoints, should the calls be invoked in parallel (i.e. multi-threaded) |
46.20.24GrantedAuthority
A granted authority is a single user authority (permission) that has been granted to a user. This authority has a permission name, and optionally an argument.
46.20.24.1Properties
| Name | Type | Description | |
| permission | Enumeration |
The name of the permission. See permissions for information on available permissions.
Options:
|
|
| argument | String | The argument for this authority. Note that some permissions do not take an argument while others require an argument. Consult the permission documentation for more information. |
46.20.25Hl7V2GeneratedMessageContext
Contains details about a converted/generated HL7 v2.x message
46.20.26Hl7V2ReceivedMessage
Contains a received HL7 v2.x Message
46.20.26.1Properties
| Name | Type | Description | |
| received | Date (Instant) | The time at which this message was received | |
| rawMessage | HL7 v2.x Message | The actual HL7 message that was received | |
| controlId | String |
The message control ID (MSH-10)
|
|
| sendingPort | Int | The port on the remote system from which the message was sent | |
| sendingPort | String | The host IP of the remote system from which the message was sent | |
| transactionPid | Long | The PID assigned to this transaction by the transaction log |
46.20.27Hl7V2ReceivedMessageConversionResult
Contains the result of an HL7 v2.x message runtime mapping or the conversion outcome of an HL7 v2.x message (into a FHIR payload)
46.20.27.1Properties
| Name | Type | Description | |
| doNotProcess | Boolean | A flag to indicate whether or not a given message should be processed | |
| doNotAutoConvert | Boolean | A flag to indicate whether or not a given message should be passed through the Smile CDR built-in message translations. Set this to true in order to skip built-in message translation entirely. | |
| transactionBundles | Array<FHIR Resource> | An array of Bundle resources containing transactions to be submitted to the FHIR server |
46.20.27.2Functions
| Name | Description | |
| addTransaction(theTransaction) |
Add a FHIR transaction to process
Return Type: void Parameter theTransaction: The transaction to add to the processing result |
|
| addMessage(thePath, theMessageLevel, theIssue) |
This method adds a message to the conversion result. Acceptable message levels are INFO, WARNING, and ERROR
Return Type: void Parameter thePath: The path within the message where the issue was detected Parameter theMessageLevel: The issue error level, e.g. 'INFO', 'WARNING', or 'ERROR'. Parameter theIssue: The description of the issue |
46.20.28LaunchContext
Represents a SMART launch context that has been assigned to a specific user session. This structure uses launch context type (i.e. patient).
46.20.28.1Properties
| Name | Type | Description | |
| contextType | String | The launch context type, e.g. "patient" (note the lack of capitalization in SMART launch scope types) | |
| resourceId | String | The launch context resource ID, e.g. "123" (note that the resource type is not included in the ID) |
46.20.29LaunchContextParameter
Represent launch context parameters to be added to a specific user session
46.20.29.1Properties
| Name | Type | Description | |
| parameterName | String | The parameter name (need_patient_banner, smart_style_url) | |
| parameterValue | String | The parameter value |
46.20.30LaunchResourceId
Represents a SMART launch context that has been assigned to a specific user session. This structure uses resource type (i.e. Patient).
46.20.30.1Properties
| Name | Type | Description | |
| resourceType | String | The resource type, e.g. 'Patient' | |
| resourceId | String | The resource ID, e.g. '123' |
46.20.31MegaScaleCredentialRequest
Request object for a MegaScale database credential request
46.20.31.1Properties
| Name | Type | Description | |
| partitionId | Int | The numeric ID for the given partition | |
| partitionName | String | The name for the given partition |
46.20.32MegaScaleCredentialResponse
Response object for a MegaScale database credential request
46.20.32.1Properties
| Name | Type | Description | |
| databaseUrl | String | The JDBC database connection URL | |
| databaseUsername | String | The JDBC database connection username | |
| databasePassword | String | The JDBC database connection password | |
| databaseInitializationStatements | Array<String> | Any statements returned here will be issued to the database as raw SQL if the database is found to be empty, immediately after the Smile CDR database schema is initialized. |
46.20.33OAuth2AuthorizationRequestDetails
Contains details about an OAuth2/OIDC request in progress
46.20.33.1Properties
| Name | Type | Description | |
| clientId | String | Contains the authorizing client ID | |
| memberId | String | The member id obtained from the $member-match operation. | |
| consentResource | String | The consent resource obtained from the $member-match operation. |
46.20.33.2Functions
| Name | Description | |
| getRequestParameters() |
Retrieve all initial OAuth2 authorization request parameters
Return Type: Map<String,String> |
|
| addRequestParameter(theName, theValue) |
Add a request parameter to the generated access token
Return Type: void Parameter theName: The request parameter name Parameter theValue: The request parameter value |
|
| getAudience() |
Retrieve the initial OAuth2 aud request parameter value
Return Type: String |
|
| setAudience(theAudience) |
Set the value from aud URL parameter from the initial OAuth2 authorization request
Return Type: void Parameter theAudience: The state request parameter value |
|
| addAccessTokenClaim(theName, theValue) |
Add an additional claim to the generated access token.
Return Type: void Parameter theName: The claim name Parameter theValue: The claim value (can be a simple datatype or a complex object) |
|
| addTokenResponseValue(theName, theValue) |
Add an additional key/value pair to the response object for the token request. Unlike addAccessTokenClaim(...), this method does not add the claim to any generated tokens, but instead adds an additional key/value pair to the JSON object used as the Token Response for an Access Token Request. This applies both to interactive/launch flows such as Authorization Code and to non-interactive/system flows such as Client Credentials with JWT Credential.
Return Type: void Parameter theName: The JSON key Parameter theValue: The JSON value (can be a simple datatype or a complex object) |
|
| getLaunch() |
Retrieve the value of the launch URL parameter from the initial OAuth2 authorization request
Return Type: String |
|
| setLaunch(theLaunch) |
Set the value from launch URL parameter from the initial OAuth2 authorization request
Return Type: void Parameter theLaunch: The launch request parameter value |
|
| getState() |
Retrieve the value of the state URL parameter from the initial OAuth2 authorization request
Return Type: String |
|
| setState(theState) |
Set the value from state URL parameter from the initial OAuth2 authorization request
Return Type: void Parameter theState: The state request parameter value |
46.20.34OAuth2Client
Represents an OpenID Connect client
46.20.34.1Properties
| Name | Type | Description | |
| moduleId | String | The Module ID that this client is registered against | |
| nodeId | String | The Node ID that this client is registered against | |
| userData | Map<String,Object> | The user data for this session. | |
| pid | Long | The internal ID for this client. | |
| accessTokenValiditySeconds | Int | The number of seconds that an access token should be valid once it has been created. | |
| allowedGrantTypes | Set<Enumeration> |
The grant types that this client is permitted to perform. See Authorization Flows for a description of the possible flows.
Options:
|
|
| autoApproveScopes | Set<String> | Scopes listed here will be automatically approved if requested by the client during the initial authorization request, without requiring the user to explicitly accept them. | |
| autoGrantScopes | Set<String> | Scopes listed here will be automatically granted during every successful authorization by this client. These scopes do not have to be explicitly requested by the client during the initial authorization request. | |
| clientId | String |
The Client ID (corresponds to the iss field in many OAuth2 exchanges).
|
|
| clientName | String | A human friendly description/name for the client. | |
| clientSecrets | Array<OAuth2ClientSecret> | Optionally contains client secrets to be used by the client in some grant types. | |
| fixedScope | Boolean | Is this client fixed scope? When authorizing a fixed scope client, the list of scopes requested in the initial authorization request will be ignored, and the complete list of scopes in the Scope property will be assumed. If these scopes are not listed as Auto-Approve, the user will still be required to approve them. | |
| refreshTokenValiditySeconds | Int | The number of seconds that a refresh token will be valid for. | |
| registeredRedirectUris | Set<String> | The allowable redirect URIs that may be requested. | |
| scopes | Set<String> | A list of OAuth2 scopes that the client is allowed to request user approval for. | |
| secretRequired | Boolean | Is the client secret required in order to authenticate this client? | |
| secretClientCanChange | Boolean | Can the client change their own secret? | |
| enabled | Boolean | Is the client enabled? | |
| canIntrospectOwnTokens | Boolean | Can this client perform token introspection on tokens that it issued? | |
| canIntrospectAnyTokens | Boolean | Can this client perform token introspecton on any tokens issued by the security module it is registered against? | |
| alwaysRequireApproval | Boolean | Should the user approval page be displayed even if the client has not requested any scopes that require user approval? | |
| canReissueTokens | Boolean | Can the OAuth2 server reissue tokens that have been previously issued for this client, if the token request is the same (e.g. for the same user, requesting the same scopes, etc.) and the token is not close to expiry? | |
| permissions | Array<GrantedAuthority> | Any permission that should be granted directly to the client when it authenticates using the Client Credentials Grant. | |
| rememberApprovedScopes | Boolean | When a user performs an OAuth2 authentication/authorization flow for this client, should their approved scopes be remembered the next time they authenticate? | |
| attestationAccepted | Boolean | Has the client developer attested to the policy? | |
| publicJwks | String | The public JWKS Keystore for this client. Used when the client authenticated using a bearer token. | |
| jwksUrl | String | A public endpoint location of the JWK Set. If present, this will be used before any public JWKS on the client directly. | |
| archivedAt | Date (Instant) | The time at which this client was archived, if it has been. | |
| createdByAppSphere | Boolean |
46.20.34.2Functions
| Name | Description | |
| addAuthority(thePermission, theArgument) |
Add an authority/permission with an argument to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name Parameter theArgument: The argument associated with this permission |
|
| addAuthority(thePermission) |
Add an authority/permission to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name |
|
| addUserData(theExtraData) |
Add all entries to the user data. A null value will be ignored.
Return Type: void Parameter theExtraData: The data to add |
|
| hasUserData(theName) |
Has user data for name been set?
Return Type: Boolean Parameter theName: The user data attribute name |
|
| clearUserData(theName) |
Clear all user data.
Return Type: void Parameter theName: The user data attribute name |
|
| setUserDataINN(theName, theValue) |
Sets a user supplied data value in the session if value is not null.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserString(theName) |
Get a user supplied data value as a string (converting if needed) or null if unset.
Return Type: String Parameter theName: The user data attribute name |
|
| getUserInt(theName) |
Get a user supplied data value as a integer, converting null/unset to 0.
Return Type: Int Parameter theName: The user data attribute name |
|
| setUserData(theName, theValue) |
Sets a user supplied data value in the session.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserData(theName) |
Get a user supplied data value.
Return Type: Object Parameter theName: The user data attribute name |
46.20.35OAuth2ClientSecret
A client secret for an OAuth2 client
46.20.35.1Properties
| Name | Type | Description | |
| pid | Long | ||
| secret | String | ||
| description | String | ||
| expiration | Date (Instant) | ||
| activation | Date (Instant) |
46.20.36OAuth2ClientSession
A client session object contains details about an OIDC client's OAuth2 session (i.e. it was accessed via a bearer token that was granted by a SMART Auth server)
46.20.36.1Properties
| Name | Type | Description | |
| moduleId | String | The Module ID that this client is registered against | |
| nodeId | String | The Node ID that this client is registered against | |
| userData | Map<String,Object> | The user data for this session. | |
| pid | Long | The internal ID for this client. | |
| accessTokenValiditySeconds | Int | The number of seconds that an access token should be valid once it has been created. | |
| allowedGrantTypes | Set<Enumeration> |
The grant types that this client is permitted to perform. See Authorization Flows for a description of the possible flows.
Options:
|
|
| autoApproveScopes | Set<String> | Scopes listed here will be automatically approved if requested by the client during the initial authorization request, without requiring the user to explicitly accept them. | |
| autoGrantScopes | Set<String> | Scopes listed here will be automatically granted during every successful authorization by this client. These scopes do not have to be explicitly requested by the client during the initial authorization request. | |
| clientId | String |
The Client ID (corresponds to the iss field in many OAuth2 exchanges).
|
|
| clientName | String | A human friendly description/name for the client. | |
| clientSecrets | Array<OAuth2ClientSecret> | Optionally contains client secrets to be used by the client in some grant types. | |
| fixedScope | Boolean | Is this client fixed scope? When authorizing a fixed scope client, the list of scopes requested in the initial authorization request will be ignored, and the complete list of scopes in the Scope property will be assumed. If these scopes are not listed as Auto-Approve, the user will still be required to approve them. | |
| refreshTokenValiditySeconds | Int | The number of seconds that a refresh token will be valid for. | |
| registeredRedirectUris | Set<String> | The allowable redirect URIs that may be requested. | |
| scopes | Set<String> | A list of OAuth2 scopes that the client is allowed to request user approval for. | |
| secretRequired | Boolean | Is the client secret required in order to authenticate this client? | |
| secretClientCanChange | Boolean | Can the client change their own secret? | |
| enabled | Boolean | Is the client enabled? | |
| canIntrospectOwnTokens | Boolean | Can this client perform token introspection on tokens that it issued? | |
| canIntrospectAnyTokens | Boolean | Can this client perform token introspecton on any tokens issued by the security module it is registered against? | |
| alwaysRequireApproval | Boolean | Should the user approval page be displayed even if the client has not requested any scopes that require user approval? | |
| canReissueTokens | Boolean | Can the OAuth2 server reissue tokens that have been previously issued for this client, if the token request is the same (e.g. for the same user, requesting the same scopes, etc.) and the token is not close to expiry? | |
| permissions | Array<GrantedAuthority> | Any permission that should be granted directly to the client when it authenticates using the Client Credentials Grant. | |
| rememberApprovedScopes | Boolean | When a user performs an OAuth2 authentication/authorization flow for this client, should their approved scopes be remembered the next time they authenticate? | |
| attestationAccepted | Boolean | Has the client developer attested to the policy? | |
| publicJwks | String | The public JWKS Keystore for this client. Used when the client authenticated using a bearer token. | |
| jwksUrl | String | A public endpoint location of the JWK Set. If present, this will be used before any public JWKS on the client directly. | |
| archivedAt | Date (Instant) | The time at which this client was archived, if it has been. | |
| createdByAppSphere | Boolean |
46.20.36.2Functions
| Name | Description | |
| addAuthority(thePermission, theArgument) |
Add an authority/permission with an argument to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name Parameter theArgument: The argument associated with this permission |
|
| addAuthority(thePermission) |
Add an authority/permission to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name |
|
| addUserData(theExtraData) |
Add all entries to the user data. A null value will be ignored.
Return Type: void Parameter theExtraData: The data to add |
|
| hasUserData(theName) |
Has user data for name been set?
Return Type: Boolean Parameter theName: The user data attribute name |
|
| clearUserData(theName) |
Clear all user data.
Return Type: void Parameter theName: The user data attribute name |
|
| setUserDataINN(theName, theValue) |
Sets a user supplied data value in the session if value is not null.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserString(theName) |
Get a user supplied data value as a string (converting if needed) or null if unset.
Return Type: String Parameter theName: The user data attribute name |
|
| getUserInt(theName) |
Get a user supplied data value as a integer, converting null/unset to 0.
Return Type: Int Parameter theName: The user data attribute name |
|
| setUserData(theName, theValue) |
Sets a user supplied data value in the session.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserData(theName) |
Get a user supplied data value.
Return Type: Object Parameter theName: The user data attribute name |
46.20.37OAuth2Clients
A collection of OAuth2 clients
46.20.37.1Properties
| Name | Type | Description | |
| clients | Array<OAuth2Client> | ||
| pageIndex | Int | ||
| totalPages | Int |
46.20.37.2Example
{
"clients" : [ {
"clientId" : "my-client-id",
"clientName" : "Sample Client",
"enabled" : false,
"allowedGrantTypes" : [ "AUTHORIZATION_CODE", "REFRESH_TOKEN" ],
"alwaysRequireApproval" : false,
"attestationAccepted" : false,
"canIntrospectAnyTokens" : false,
"canIntrospectOwnTokens" : false,
"canReissueTokens" : false,
"clientSecrets" : [ {
"secret" : "THIS_IS_A_CLIENT_SECRET",
"expiration" : "2026-04-14T07:20:35.532+00:00",
"activation" : "2025-04-14T07:20:35.532+00:00"
} ],
"createdByAppSphere" : false,
"fixedScope" : false,
"registeredRedirectUris" : [ "http://example.com/app-redirect" ],
"rememberApprovedScopes" : false,
"scopes" : [ "openid", "patient/*.read", "profile" ],
"secretClientCanChange" : false,
"secretRequired" : true
} ],
"pageIndex" : 0,
"totalPages" : 0
}46.20.38OAuth2Keystore
An OAuth2/OIDC Keystore definition
46.20.38.1Properties
| Name | Type | Description | |
| keystoreId | String | The user specified ID for this keystore. | |
| jsonKeys | String | JSON blob of keys to use. If filePath is defined, this is ignored. | |
| filePath | String | A path to the file location that defines the keys. This path uses the format of a Resource Path. |
46.20.39OAuth2Keystores
A collection of OAuth2/OIDC Keystore definitions
46.20.39.1Properties
| Name | Type | Description | |
| keystores | Array<OAuth2Keystore> | The keystore definitions |
46.20.40OAuth2Server
An OAuth2/OpenID Connect server definition
46.20.40.1Properties
| Name | Type | Description | |
| pid | Long | The internal persistence ID for this provider. | |
| name | String | A user friendly name/description of this provider. | |
| issuer | String | The issuer URL. | |
| tokenIntrospectionClientId | String |
The client ID to use when performing token introspection against this provider. The client ID and client secret may also be used for client authentication during code exchange if the federationClientAuthenticationMethod is set to a client secret method.
|
|
| tokenIntrospectionClientSecret | String |
The client secret to use when performing token introspection against this provider. The client ID and client secret may also be used for client authentication during code exchange if the federationClientAuthenticationMethod is set to a client secret method.
|
|
| nodeId | String | The Node ID for the security module that this definition applies to. | |
| moduleId | String | The security Module ID that this definition applies to. | |
| validationJwkText | String | A JSON document containing the JWK Set containing the public key used to validate signed tokens issued by this server. This is not required for federated server definitions but is required otherwise. | |
| validationJwkFile | String | A local file path / classpath to use to supply the JWK Set containing the public key used to validate signed tokens issued by this server. This field applies only to non-federated providers. | |
| federationRegistrationId | String | A unique identifier for the federation between Smile CDR and the federated provider. If this is left blank, a unique value will be automatically created by Smile CDR. You may choose to use a more descriptive value however, as it will appear in URLs and log statements. Since this value will appear in URL paths, only letters and numbers should be used with no whitespace. | |
| federationRequestScopes | String | When requesting authorization against the federated provider, this setting controls which OAuth2 scopes will be requested. Note that the scopes requested by the security module from the federated provider are independent from the scopes requested by the SMART application that is authorizing against Smile CDR. In a typical flow, a SMART on FHIR application will request SMART scopes from Smile CDR, and Smile CDR will in turn request a different set of appropriate scopes from the federated provider. | |
| federationAuthorizationUrl | String | The URL to redirect the requesting user to in order to request user authentication/authorization with the federated provider. | |
| federationTokenUrl | String | The service URL used by the SMART Outbound Security module for code exchange when requesting a token from the federated provider. | |
| federationUserInfoUrl | String | The service URL used by the SMART Outbound Security module for requesting user details. | |
| federationJwkSetUrl | String | The URL from which to obtain the federated provider's token signing public key. | |
| federationAuthScriptText | String | When using Federated OAuth2/OIDC Login, a script is used to bridge between the user authorization details received from the federated provider and the requested authorization details in the originating SMART on FHIR application. This script is used to assign appropriate permissions and inject any other required details into the user session. It may obtain all required information by inspecting the access token details, or it may make additional service calls to fetch information. | |
| federationUserMappingScriptText | String | When using Federated OAuth2/OIDC Login, an optional script that is used to create Smile CDR user name from the federated login details. | |
| clientAuthenticationMethod | Enumeration |
The OIDC client authentication mechanism to use during federated OIDC login when performing code exchange between Smile CDR and the federated provider.
Options:
|
|
| clientAuthenticationKeystoreId | String |
If the client authentication method is set to PRIVATE_KEY_JWT, this property specifies the Keystore ID to use for signing the credential JWT.
|
|
| fhirEndpointUrl | String | The FHIR Endpoint URL associated to this OIDC Server. P2P specific-optional | |
| authWellKnownConfigUrl | String | The auth well-known configuration URL associated to this OIDC Server to retrieve fhir data. P2P specific-optional | |
| notes | String | Registration URL, etc. P2P specific-optional | |
| customTokenParams | String | Customized token parameters for this OIDC Server. P2P specific-optional | |
| responseType | String | The response type for the associated OIDC Server. P2P specific-optional | |
| organizationId | String | The identification code used to specify an organization or business. (i.e. Payer ID/A five digit standardized industry identify used by payers). P2P specific-optional | |
| audience | String | The audience parameter. Defines the intended consumer of the token. P2P specific-optional | |
| archivedAt | Date (Instant) | The time at which this module was archived, if it has been. |
46.20.41OAuth2Servers
A collection of OAuth2/OpenID Connect server definitions
46.20.41.1Properties
| Name | Type | Description | |
| servers | Array<OAuth2Server> | ||
| pageIndex | Int | ||
| totalPages | Int |
46.20.41.2Example
{
"servers" : [ {
"issuer" : "http://idp.example.com",
"name" : "Acme Identity Provider Corp",
"tokenIntrospectionClientId" : "my-client-id",
"tokenIntrospectionClientSecret" : "THIS_IS_A_CLIENT_SECRET"
} ],
"pageIndex" : 0,
"totalPages" : 0
}46.20.42OAuth2SmartContextSelectionChoicePerson
A person to use as an option for context selection.
46.20.42.1Properties
| Name | Type | Description | |
| familyName | String | ||
| givenName | String | ||
| birthDate | String | The birth date associated with this person. Note that element is treated as a freetext string, and any format is accepted. | |
| userData | Map<String,Object> | The user data for this person. | |
| id | String | A unique ID for the person entry. This property is set automatically and can not be changed. | |
| associatedPatientContextResourceId | String | ||
| associatedAuthorities | Array<GrantedAuthority> | ||
| autoGrantScopes | Set<String> | The auto granted scopes for this person | |
| requestedScopes | Set<String> | The requested scopes for this person |
46.20.42.2Functions
| Name | Description | |
| addAutoGrantScopes(theScopes) |
Add auto-grant scopes that will be not be shown to the user. Supports multiple whitespace separated scopes.
Return Type: void Parameter theScopes: The auto-grant scopes |
|
| addRequestedScopes(theScopes) |
Add scopes to the client request for approval by the user. Supports multiple whitespace separated scopes.
Return Type: void Parameter theScopes: The requested scopes |
|
| removeAutoGrantScopes(theScopes) |
Remove auto-grant scopes that will be not be shown to the user. Supports multiple whitespace separated scopes.
Return Type: void Parameter theScopes: The auto-grant scopes |
|
| removeRequestedScopes(theScopes) |
Remove scopes to the client request for approval by the user. Supports multiple whitespace separated scopes.
Return Type: void Parameter theScopes: The requested scopes |
|
| addUserData(theExtraData) |
Add all entries to the user data. A null value will be ignored.
Return Type: void Parameter theExtraData: The data to add |
|
| hasUserData(theName) |
Has user data for name been set?
Return Type: Boolean Parameter theName: The user data attribute name |
|
| clearUserData(theName) |
Clear all user data.
Return Type: void Parameter theName: The user data attribute name |
|
| setUserDataINN(theName, theValue) |
Sets a user supplied data value in the session if value is not null.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserString(theName) |
Get a user supplied data value as a string (converting if needed) or null if unset.
Return Type: String Parameter theName: The user data attribute name |
|
| getUserInt(theName) |
Get a user supplied data value as a integer, converting null/unset to 0.
Return Type: Int Parameter theName: The user data attribute name |
|
| setUserData(theName, theValue) |
Sets a user supplied data value in the session.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserData(theName) |
Get a user supplied data value.
Return Type: Object Parameter theName: The user data attribute name |
|
| addAuthority(thePermission, theArgument) |
Add an authority/permission with an argument to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name Parameter theArgument: The argument associated with this permission |
|
| addAuthority(thePermission) |
Add an authority/permission to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name |
46.20.43OAuth2SmartContextSelectionChoices
This object represents a set of context choices that can be selected from by a user authorizing an app via the SMART Outbound Security module.
46.20.43.1Properties
| Name | Type | Description | |
| persons | Array<OAuth2SmartContextSelectionChoicePerson> | persons | |
| customScopeDisplay | Map<String,String> | Custom Scope Display |
46.20.43.2Functions
| Name | Description | |
| addPerson() |
Adds and returns a person object
Return Type: OAuth2SmartContextSelectionChoicePerson |
|
| haveChoices() |
Returns true if one or more persons has been added to this object
Return Type: Boolean |
|
| addDisplayTranslation(theScope, theDisplayText) |
Add custom display name for the scope
Return Type: void Parameter theScope: Parameter theDisplayText: |
46.20.44Oauth2InvalidateTokensResponseJson
Response object when invalidating OpenID Connect tokens
46.20.44.1Properties
| Name | Type | Description | |
| accessTokenCount | Int | The count of invalidated access tokens | |
| refreshTokenCount | Int | The count of invalidated refresh tokens |
46.20.45OpenIdIntrospectTokenResponse
This object represents a response from an Identity Provider's introspection endpoint.
46.20.45.1Properties
| Name | Type | Description | |
| active | Boolean | ||
| scope | Set<String> | ||
| client_id | String | ||
| username | String | ||
| token_type | String | ||
| exp | Date (Instant) | ||
| iat | Date (Instant) | ||
| nbf | Date (Instant) | ||
| sub | String | ||
| aud | Array<String> | ||
| iss | String | ||
| jti | String |
46.20.46PackageInstallationSpec
Defines a set of instructions for package installation
46.20.46.1Properties
| Name | Type | Description | |
| packageUrl | String | The direct package URL | |
| name | String | The NPM package Name | |
| version | String | The direct package version | |
| installMode | Enumeration |
Should resources from this package be extracted from the package and installed into the repository individually
Options:
|
|
| installResourceTypes | Array<String> | If resources are being installed individually, this is list provides the resource types to install. By default, all conformance resources will be installed. | |
| fetchDependencies | Boolean | Should dependencies be automatically resolved, fetched and installed with the same settings | |
| reloadExisting | Boolean | Should existing resources be reloaded. Defaults to true, but can be set to false to avoid re-index operations for existing search parameters |
46.20.46.2Example
{
"name" : "hl7.fhir.us.core",
"version" : "3.1.0",
"installMode" : "STORE_ONLY",
"reloadExisting" : true,
"fetchDependencies" : true
}46.20.46.3Example
{
"name" : "com.example.my-resources",
"version" : "1.0",
"packageUrl" : "classpath:/my-resources.tgz",
"installMode" : "STORE_AND_INSTALL",
"installResourceTypes" : [ "Organization", "Medication", "PlanDefinition", "SearchParameter" ],
"reloadExisting" : true,
"fetchDependencies" : false
}46.20.47PartitionDefinition
A partition definition
46.20.47.1Properties
| Name | Type | Description | |
| id | Int | ||
| name | String | ||
| description | String |
46.20.48PartitionDefinitions
A collections of partition definitions
46.20.48.1Properties
| Name | Type | Description | |
| partitions | Array<PartitionDefinition> |
46.20.48.2Example
{
"partitions" : [ {
"id" : 1,
"name" : "Partition-A",
"description" : "The first partition"
}, {
"id" : 2,
"name" : "Partition-B",
"description" : "The second partition"
} ]
}46.20.49RequestDetailsJson
This object contains details about a FHIR request at runtime
46.20.49.1Properties
| Name | Type | Description | |
| approvedScopes | Set<String> | ||
| tenantId | String | ||
| compartmentName | String | ||
| completeUrl | String | ||
| fhirServerBase | String | ||
| id | String | ||
| operation | String | ||
| requestPath | String | ||
| requestType | Enumeration |
Options:
|
|
| resourceName | String | ||
| respondGzip | Boolean | ||
| restOperationType | Enumeration |
Options:
|
|
| secondaryOperation | String | ||
| subRequest | Boolean |
46.20.49.2Functions
| Name | Description | |
| getParameters(theParameterName) |
Returns an array of URL values for the given parameter
Return Type: Array<String> Parameter theParameterName: |
|
| getHeader(theHeaderName) |
Returns an array of HTTP header values for the given key
Return Type: Array<String> Parameter theHeaderName: |
46.20.50ScriptAuthenticationOutcomeFactory
This object is used by authorization scripts to create success or failure objects to be returned by the script function.
46.20.50.1Functions
| Name | Description | |
| newSuccess() |
This method creates a successful response that can be populated by the script, and then returned by the function.
Return Type: UserSessionDetails |
|
| newFailure() |
This method creates a failure response that can be populated by the script, and then returned by the function.
Return Type: AuthenticationFailure |
46.20.51ScriptConsentContextServices
This object is passed to consent services scripts to provide context services
46.20.51.1Functions
| Name | Description | |
| proceed() |
Advise the consent service that this operation should proceed (i.e. the operation will not be rejected, and the consent service will continue to evaluate)
Return Type: void |
|
| reject() |
Advise the consent service that this operation should be rejected
Return Type: void |
|
| authorized() |
Advise the consent service that this operation should be authorized (i.e. no further checking should occur)
Return Type: void |
46.20.52SecurityInLdapAuthenticationContext
Provides details and functions around the context of an authentication using the LDAP Inbound Security module. Objects of this type inherit all properties of their ancestor type AuthenticationContext.
46.20.52.1Properties
| Name | Type | Description | |
| nodeId | String | The node ID associated with the request | |
| moduleId | String | The module ID associated with the request | |
| startTime | Date (Instant) | The time at which the initial HTTP request was received | |
| remoteAddress | String | The IP address of the remote party to invoke the service | |
| remoteScheme | String |
The protocol used by the remote party to invoke the service (will generally be http or https)
|
|
| headers | Map<String,String> | The headers associated with the request |
46.20.52.2Functions
| Name | Description | |
| getStringAttributes(theAttributeName) |
Fetch string attribute values for the given attribute name in LDAP for the authenticated user
Return Type: Array<String> Parameter theAttributeName: The LDAP attribute name |
|
| isMemberOfGroup(theGroupDn, theMemberAttribute) |
Return true if the authenticated user is in the given group
Return Type: Boolean Parameter theGroupDn: The fully qualified LDAP Group DN Parameter theMemberAttribute: The LDAP user attribute to use to indicate group membership |
|
| isMemberOfGroup(theGroupDn) |
Return true if the authenticated user is in the given group using member as membership attribute
Return Type: Boolean Parameter theGroupDn: The fully qualified LDAP Group DN |
|
| isMemberOfGroup(theGroupDn, theMemberAttribute, theSearchBaseDn) |
Return true if the authenticated user is in the given group. LDAP static groups with class:groupOfNames use member to enumerate members. This is the default value for theMemberAttribute.But if the group is defined differently (e.g. groupOfUniqueNames uses uniqueMember), pass that attribute name as theMemberAttribute.Use theSearchBaseDn to (optionally) scope the search for groups.
Return Type: Boolean Parameter theGroupDn: The fully qualified LDAP Group DN Parameter theMemberAttribute: The LDAP user attreibute to use to indicate group membership Parameter theSearchBaseDn: The LDAP base DN to search |
|
| queryStringAttributes(theAttributeName) |
Query string attribute values for the given attribute name in LDAP for the authenticated user.Useful for fetching dynamic attributes not loaded during the authentication bind.
Return Type: Array<String> Parameter theAttributeName: The LDAP attribute name |
46.20.53SecurityInSmartAuthenticationContext
Provides the context for the onAuthenticateSuccess callback method on the SMART Inbound Security module. Objects of this type inherit all properties of their ancestor type AuthenticationContext.
46.20.53.1Properties
| Name | Type | Description | |
| nodeId | String | The node ID associated with the request | |
| moduleId | String | The module ID associated with the request | |
| startTime | Date (Instant) | The time at which the initial HTTP request was received | |
| remoteAddress | String | The IP address of the remote party to invoke the service | |
| remoteScheme | String |
The protocol used by the remote party to invoke the service (will generally be http or https)
|
|
| headers | Map<String,String> | The headers associated with the request |
46.20.53.2Functions
| Name | Description | |
| getClaim(theName) |
This function gets any claim in the claims map, returning the JSON value found there. If no claim exists with the given name, null is returned.
Return Type: Object Parameter theName: |
|
| getStringClaim(theName) |
This function returns the claim contained within the encoded ID token JWT. The claim value is expected to be a string.
Return Type: String Parameter theName: |
|
| getClaims() |
This function gets all claims from the token as a claims map.
Return Type: Map<String,Object> |
|
| getApprovedScopes() |
This function returns an array of the approved scopes
Return Type: Set<String> |
|
| hasApprovedScope(theScope) |
This function returns true if the session has been approved for the given OAuth2 scope
Return Type: Boolean Parameter theScope: |
|
| getStringArrayClaim(theName) |
This function returns the claim contained within the encoded ID token JWT. The claim value is expected to be an array of strings.
Return Type: Array<String> Parameter theName: |
|
| getIntrospectTokenResponse() |
This function returns the results of the token /introspect endpoint, if this server has been configured to return it.
Return Type: OpenIdIntrospectTokenResponse |
46.20.54SmartCodapAuthorizationRequest
This object is passed to the SMART Cross-Organization Data Access Profile authorization callback script
46.20.54.1Properties
| Name | Type | Description | |
| requestingPractitioner | FHIR Resource | ||
| requestedRecord | FHIR Resource | ||
| reasonForRequest | String | ||
| clientId | String | ||
| scope | Set<String> | ||
| rawAuthorizationToken | String | ||
| rawAuthenticationToken | String |
46.20.55SmartOnPostAuthorizeDetails
This class represents a completed SMART Authorization. It contains details about the authorization, what was granted, who it was granted to, etc.
46.20.55.1Properties
| Name | Type | Description | |
| grantType | String | ||
| accessToken | String | ||
| grantedScopes | Set<String> | ||
| expiration | Date (Instant) | ||
| requestingPractitioner | FHIR Resource | ||
| requestedRecord | FHIR Resource | ||
| refreshToken | String |
46.20.56SmartScopeAuthorityNarrowingResult
This object is used as an argument to the onSmartScopeAuthorityNarrowing(...) function, which is invoked after SMART scopes have been applied to narrow a user/client's session permissions.
46.20.56.1Functions
| Name | Description | |
| hasScope(theScope) |
Checks whether the given scope has been authorized for the current session, either because it was requested and approved, or because it was automatically granted.
Return Type: Boolean Parameter theScope: The text of the scope, e.g. "patient/read.*" |
|
| hasInputAuthority(thePermissionName) |
Tests whether an authority was present on the session prior to any scope-based narrowing.
Return Type: Boolean Parameter thePermissionName: The name of the permission, e.g. FHIR_META_OPERATIONS_SUPERUSER.
|
|
| hasInputAuthority(thePermissionName, theArgument) |
Tests whether an authority was present on the session prior to any scope-based narrowing.
Return Type: Boolean Parameter thePermissionName: The name of the permission, e.g. FHIR_META_OPERATIONS_SUPERUSER.
Parameter theArgument: Only match authorities with the given argument |
|
| hasOutputAuthority(thePermissionName) |
Tests whether an authority was present on the session after any scope-based narrowing.
Return Type: Boolean Parameter thePermissionName: The name of the permission, e.g. FHIR_META_OPERATIONS_SUPERUSER.
|
|
| hasOutputAuthority(thePermissionName, theArgument) |
Tests whether an authority was present on the session after any scope-based narrowing.
Return Type: Boolean Parameter thePermissionName: The name of the permission, e.g. FHIR_META_OPERATIONS_SUPERUSER.
Parameter theArgument: Only match authorities with the given argument |
|
| addOutputAuthority(thePermissionName, theArgument) |
Adds a new authority to the collection of authorities that will ultimately be approved for the session.
Return Type: void Parameter thePermissionName: The name of the permission, e.g. FHIR_READ_ALL_IN_COMPARTMENT.
Parameter theArgument: The argument for the given permission, e.g. Patient/123.
|
|
| addOutputAuthority(thePermissionName) |
Adds a new authority to the collection of authorities that will ultimately be approved for the session.
Return Type: void Parameter thePermissionName: The name of the permission, e.g. FHIR_META_OPERATIONS_SUPERUSER.
|
|
| removeOutputAuthority(thePermissionName, theArgument) |
Removes an authority to the collection of authorities that will ultimately be approved for the session.
Return Type: void Parameter thePermissionName: The name of the permission, e.g. FHIR_READ_ALL_IN_COMPARTMENT.
Parameter theArgument: The argument for the given permission, e.g. Patient/123.
|
|
| removeOutputAuthority(thePermissionName) |
Removes an authority to the collection of authorities that will ultimately be approved for the session.
Return Type: void Parameter thePermissionName: The name of the permission, e.g. FHIR_READ_ALL_IN_COMPARTMENT.
|
46.20.57TokenizationRule
Defines a single rule for FHIR Repository Tokenization
46.20.57.1Properties
| Name | Type | Description | |
| description | String | An optional description of this rule. This field does not affect the functionality of the rule, but can be used as documentation. | |
| path | String |
A FHIRPath expression within a resource pointing to the element to tokenize. The value must begin with a resource type, e.g. Patient.name.family.
|
|
| searchParameter | String | The name of a SearchParameter which can be used to search for the tokenized value. If the FHIRPath expression in this rule matches the path of an existing SearchParameter, it is recommended to use the name of that SearchParameter here. This may be left empty, in which case it will not be possible to perform a search for the tokenized value (in other words, this should only be populated for rules containing paths which should be indexed for searching). | |
| searchValueNormalization | Enumeration |
If this property is set, the element value will be tokenized twice. The first value contains the original element as it was stored in the resource, and the second contains a normalized version of the element. The normalized version is used for search indexing. See Search Normalization for more information.
Options:
|
|
| neverDetokenize | Boolean | If set to true, the system will never attempt to de-tokenize the value. This could be set if the configured tokenization algorithm is not reversible, or the usage scenario means that it is not desirable to reverse the tokenization on this element. |
46.20.58TokenizationRules
Defines a collection of rules for FHIR Repository Tokenization
46.20.58.1Properties
| Name | Type | Description | |
| rules | Array<TokenizationRule> |
46.20.58.2Example
{
"rules" : [ {
"description" : "Rule for a path including a search parameter",
"path" : "Patient.identifier",
"searchParameter" : "identifier",
"searchValueNormalization" : "IDENTIFIER",
"neverDetokenize" : false
}, {
"description" : "Another rule for a path including a search parameter",
"path" : "Patient.name.family",
"searchParameter" : "family",
"searchValueNormalization" : "STRING",
"neverDetokenize" : false
}, {
"description" : "Rule for a path with no associated search parameter",
"path" : "Patient.maritalStatus",
"searchValueNormalization" : "NONE",
"neverDetokenize" : false
} ]
}46.20.59UserDetails
A user definition
46.20.59.1Properties
| Name | Type | Description | |
| accountDisabled | Boolean | ||
| notes | String | ||
| String | |||
| accountExpiry | Date (Instant) | ||
| accountLocked | Boolean | ||
| failedLoginAttempts | Int | ||
| authorities | Array<GrantedAuthority> | ||
| associatedResources | Array<AssociatedResource> | A collection of "associated resource" IDs. Associated resources are FHIR resources with some connection to the given user, such as a Patient or Practitioner resource representing the actual user. | |
| credentialExpiry | Date (Instant) | ||
| familyName | String | ||
| givenName | String | ||
| lastActive | Date (Instant) | The date at which the user account was last used. Note that this property is read-only, and is only updated once per day, so it is accurate only to the date. | |
| lastConnected | Date (Instant) | The date at which the user last logged in. This property is read-only and is accurate to the minute. | |
| moduleId | String | The module ID associated with this user account. This is the module ID associated with the Inbound Security module that is responsible for authenticating this user. | |
| nodeId | String | The node ID associated with this user. This is the master node ID associated with the Inbound Security module that is responsible for authenticating this user. | |
| password | String | The user password (note that this property will not be populated when sessions are made available to user code) | |
| pid | Long | The PID (internal ID) for this user | |
| username | String | The username for this user | |
| usernameNamespace | String | The username namespace associated with this user | |
| systemUser | Boolean | If this is set, the user cannot be renamed or deleted (this property may only be set by the system) | |
| external | Boolean | If this value is set, the user is backed by an external user directory (this property may only be set by the system) | |
| defaultLaunchContexts | Array<LaunchContext> | The SMART launch contexts associated with this account | |
| serviceAccount | Boolean | ||
| twoFactorAuthStatus | Enumeration |
Options:
|
46.20.59.2Functions
| Name | Description | |
| hasAuthority(thePermission) |
Does the user have the given permission?
Return Type: Boolean Parameter thePermission: The name of the permission, e.g. 'ROLE_FHIR_CLIENT' |
|
| getOrCreateDefaultLaunchContext(theContextType, theIndex) |
Returns the first default launch context for the given type, creating one if none exists
Return Type: LaunchContext Parameter theContextType: The context type, e.g. "patient" or "practitioner" Parameter theIndex: The index, starting at 0 |
|
| getOrCreateDefaultLaunchContext(theContextType) |
Returns the first default launch context for the given type, creating one if none exists
Return Type: LaunchContext Parameter theContextType: The context type, e.g. "patient" or "practitioner" |
|
| addAuthority(thePermission, theArgument) |
Add an authority/permission with an argument to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name Parameter theArgument: The argument associated with this permission |
|
| addAuthority(thePermission) |
Add an authority/permission to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name |
46.20.60UserDetailsChangeLaunchContextJson
Input type for a user update to the launch context(s) associated with their account.
46.20.60.1Properties
| Name | Type | Description | |
| contexts | Array<LaunchContext> |
46.20.60.2Example
{
"contexts" : [ {
"contextType" : "patient",
"resourceId" : "Patient/123"
} ]
}46.20.61UserDetailsList
A collection of users
46.20.61.1Properties
| Name | Type | Description | |
| users | Array<UserDetails> |
46.20.62UserDetailsOAuth2AllClientApprovals
Contains the list of clients for which a user has current OAuth2 sessions (access and refresh tokens) or remembered scopes.
46.20.62.1Properties
| Name | Type | Description | |
| clients | Array<UserDetailsOAuth2ClientApprovals> |
46.20.63UserDetailsOAuth2ClientApprovals
Contains the details of an individual client for which a user has approved scopes and/or active tokens.
46.20.63.1Properties
| Name | Type | Description | |
| clientNodeId | String | ||
| clientModuleId | String | ||
| clientId | String | ||
| clientName | String | ||
| approvedScopes | Array<UserDetailsOAuth2ClientApprovalsApprovedScope> |
46.20.64UserDetailsOAuth2ClientApprovalsApprovedScope
Contains the details of an approved scope for a given user and client.
46.20.64.1Properties
| Name | Type | Description | |
| scope | String | ||
| description | String |
46.20.65UserSessionDetails
A user session details object contains details about a logged in user and a specific session they have established with the authorization server.
46.20.65.1Properties
| Name | Type | Description | |
| launchContextParameters | Array<LaunchContextParameter> | Specifies the parameters that will be returned to the user as launch context if the SMART authorization flow requests a launch context | |
| launchResourceIds | Array<LaunchResourceId> | Specifies the IDs that will be returned to the user as launch context if the SMART authorization flow requests a launch context | |
| fhirContext | Array<FhirContextEntry> | Specifies the components of the fhirContext, including a reference or a reference/role pair. | |
| approvedScopes | Set<String> | If the session is an OAuth2 session (i.e. it is accessed via a bearer token that was granted by a SMART Auth server) this field will be populated with the set of scopes that were approved for the client | |
| oidcClientId | String | If the session is an OAuth2 session (i.e. it is accessed via a bearer token that was granted by a SMART Auth server) this field will be populated with the id of the client. | |
| oidcClientNodeId | String | The node ID associated with OIDC client of this user. | |
| oidcClientModuleId | String | The module ID associated with the OIDC client of this user account. | |
| userData | Map<String,Object> | The user data for this session. | |
| fhirUserUrl | String |
Specifies the FHIR Resource URL associated with this user session. This value will be used to provide the fhirUser claim in returned ID Tokens, and is not used for other purposes.
|
|
| accountDisabled | Boolean | ||
| notes | String | ||
| String | |||
| accountExpiry | Date (Instant) | ||
| accountLocked | Boolean | ||
| failedLoginAttempts | Int | ||
| authorities | Array<GrantedAuthority> | ||
| associatedResources | Array<AssociatedResource> | A collection of "associated resource" IDs. Associated resources are FHIR resources with some connection to the given user, such as a Patient or Practitioner resource representing the actual user. | |
| credentialExpiry | Date (Instant) | ||
| familyName | String | ||
| givenName | String | ||
| lastActive | Date (Instant) | The date at which the user account was last used. Note that this property is read-only, and is only updated once per day, so it is accurate only to the date. | |
| lastConnected | Date (Instant) | The date at which the user last logged in. This property is read-only and is accurate to the minute. | |
| moduleId | String | The module ID associated with this user account. This is the module ID associated with the Inbound Security module that is responsible for authenticating this user. | |
| nodeId | String | The node ID associated with this user. This is the master node ID associated with the Inbound Security module that is responsible for authenticating this user. | |
| password | String | The user password (note that this property will not be populated when sessions are made available to user code) | |
| pid | Long | The PID (internal ID) for this user | |
| username | String | The username for this user | |
| usernameNamespace | String | The username namespace associated with this user | |
| systemUser | Boolean | If this is set, the user cannot be renamed or deleted (this property may only be set by the system) | |
| external | Boolean | If this value is set, the user is backed by an external user directory (this property may only be set by the system) | |
| defaultLaunchContexts | Array<LaunchContext> | The SMART launch contexts associated with this account | |
| serviceAccount | Boolean | ||
| twoFactorAuthStatus | Enumeration |
Options:
|
46.20.65.2Functions
| Name | Description | |
| getFhirContext() |
Provides the fhirContext entries with this session
Return Type: Array<FhirContextEntry> |
|
| getLaunchResourceIds() |
Provides the launch context resource IDs associated with this session
Return Type: Array<LaunchResourceId> |
|
| getLaunchContextParameters() |
Provides the launch context parameters associated with this session
Return Type: Array<LaunchContextParameter> |
|
| getLaunchResourceIdsForResourceType(theResourceType) |
Provides the launch context resource IDs associated with this session for a given resource type, returning an array of LaunchResourceId objects.
Return Type: Array<LaunchResourceId> Parameter theResourceType: The launch context resource type. Note that this value is not capitalized, e.g. patient or encounter.
|
|
| addLaunchResourceId(theResourceType, theResourceId) |
Adds a launch context resource id
Return Type: void Parameter theResourceType: The launch context resource type. Note that this value is not capitalized, e.g. patient or encounter.
Parameter theResourceId: The resource ID. This value does not include a resource type, e.g. 123.
|
|
| addUserData(theKey, theValue) |
Add user data to the session. Custom user data can be added for use within the system or in interceptors.
Return Type: void Parameter theKey: The user data key Parameter theValue: The user data value |
|
| addApprovedScope(theScope) |
Add an approved scope to the session
Return Type: void Parameter theScope: The SMART on FHIR/OIDC scope name |
|
| removeApprovedScope(theScope) |
Remove an approved scope to the session. This method has no effect if the given scope is not in the existing approved scope list.
Return Type: void Parameter theScope: The SMART on FHIR/OIDC scope name |
|
| addFhirContextReference(theReference) |
Adds a Smart fhirContext entry containing only the reference
Return Type: void Parameter theReference: A reference to a FHIR resource in the fhirContext. |
|
| addFhirContextReference(theReference, theRole) |
Adds a Smart fhirContext entry containing the reference and role
Return Type: void Parameter theReference: A reference to a FHIR resource in the fhirContext. Parameter theRole: A reference to a role URI in the fhirContext |
|
| getLaunchResourceIdForResourceType(theResourceType) |
Provides a single launch context resource ID associated with this session for a given resource type, returning the resource ID (e.g. 123) or null if none are found.
Return Type: String Parameter theResourceType: The launch context resource type. Note that this value is not capitalized, e.g. patient or encounter.
|
|
| addLaunchContextParameter(theParameterName, theParameterValue) |
Adds a launch context parameter name/value pair
Return Type: void Parameter theParameterName: The launch context parameter name,e.g. need_patient_banner or smart_style_url.
Parameter theParameterValue: The parameter value. |
|
| hasAuthority(thePermission) |
Does the user have the given permission?
Return Type: Boolean Parameter thePermission: The name of the permission, e.g. 'ROLE_FHIR_CLIENT' |
|
| getOrCreateDefaultLaunchContext(theContextType, theIndex) |
Returns the first default launch context for the given type, creating one if none exists
Return Type: LaunchContext Parameter theContextType: The context type, e.g. "patient" or "practitioner" Parameter theIndex: The index, starting at 0 |
|
| getOrCreateDefaultLaunchContext(theContextType) |
Returns the first default launch context for the given type, creating one if none exists
Return Type: LaunchContext Parameter theContextType: The context type, e.g. "patient" or "practitioner" |
|
| addAuthority(thePermission, theArgument) |
Add an authority/permission with an argument to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name Parameter theArgument: The argument associated with this permission |
|
| addAuthority(thePermission) |
Add an authority/permission to the given user
Return Type: void Parameter thePermission: The Smile CDR permission name |
|
| addUserData(theExtraData) |
Add all entries to the user data. A null value will be ignored.
Return Type: void Parameter theExtraData: The data to add |
|
| hasUserData(theName) |
Has user data for name been set?
Return Type: Boolean Parameter theName: The user data attribute name |
|
| clearUserData(theName) |
Clear all user data.
Return Type: void Parameter theName: The user data attribute name |
|
| setUserDataINN(theName, theValue) |
Sets a user supplied data value in the session if value is not null.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserString(theName) |
Get a user supplied data value as a string (converting if needed) or null if unset.
Return Type: String Parameter theName: The user data attribute name |
|
| getUserInt(theName) |
Get a user supplied data value as a integer, converting null/unset to 0.
Return Type: Int Parameter theName: The user data attribute name |
|
| setUserData(theName, theValue) |
Sets a user supplied data value in the session.
Return Type: void Parameter theName: The user data attribute name Parameter theValue: The attribute value |
|
| getUserData(theName) |
Get a user supplied data value.
Return Type: Object Parameter theName: The user data attribute name |