36.10.1OpenID Connect Sessions Endpoint

 

The OpenID Connect Sessions Endpoint can be used to see what applications and scopes are active for a given user.

36.10.2Fetch All Active Clients for User

 
This method requires the OPENID_CONNECT_MANAGE_GLOBAL_SESSIONS permission.

This method will fetch a list of all active clients for a given user, and the approved scopes associated with each client.

The nuances of the OpenID Authorization flows are complicated and not necessarily obvious to an end user. As a result, this service tries to take a common-sense and inclusive definition of what it means for a client (i.e. an application) to be approved by a user.

Applications will be included in the response for the user if any of the following are true:

  • There is at least one currently valid Access Token issued by Smile CDR for the client for the user
  • There is at least one currently valid Refresh Token issued by Smile CDR for the client for the user
  • The user has previously approved scopes for the client, and the client definition has the Remember Approved Scopes flag set

The list of scopes is also included for any clients returned by this service. Scopes will be included if they are approved for any Access or Refresh Tokens, or if they were previously remembered.


Request:

GET http://localhost:9000/openid-connect-sessions/all/user?user_node_id=[ID]&user_module_id=[ID]&username[USERNAME]

The supported URL parameters for selecting a user are listed below. You can select a user by username or by PID:

  • user_node_id=[ID] – The node ID for the Inbound Security module associated with the user.
  • user_module_id=[ID] – The module ID for the Inbound Security module associated with the user.
  • username_issuer=[ISSUER URL] – (*optional) If the user was created through a federated OAUth2 login, the issuer URL should be placed in this parameter.
  • username=[USERNAME] – The username to search for.

or

  • user_pid=[PID] – The PID for the user to search for. If this parameter is specified, it is not necessary to specify the node ID, module ID or username. If those three parameters are specified, this parameter is not necessary.

Response:

This operation returns a JSON document object of type UserDetailsOAuth2AllClientApprovals

Example:

{
  "clients" : [ {
    "clientNodeId" : "some-node-id",
    "clientModuleId" : "some-module-id",
    "clientId" : "client_id_1",
    "clientName" : "Client Name 1",
    "approvedScopes" : [ {
      "scope" : "patient/Patient.read",
      "description" : "Read Patient Demographics"
    }, {
      "scope" : "patient/Observation.read",
      "description" : "Read Lab Results"
    } ]
  }, {
    "clientNodeId" : "some-node-id",
    "clientModuleId" : "some-module-id",
    "clientId" : "client_id_2",
    "clientName" : "Client Name 2",
    "approvedScopes" : [ {
      "scope" : "patient/*.read",
      "description" : "Read All Data"
    }, {
      "scope" : "patient/*.write",
      "description" : "Write All Data"
    } ]
  } ]
}

36.10.3Revoke Active Client for User

 
This method requires the OPENID_CONNECT_MANAGE_GLOBAL_SESSIONS permission.

This method will fetch a single server stored in the system.


Request:

DELETE http://localhost:9000/openid-connect-sessions/revoke/user?user_node_id=[ID]&user_module_id=[ID]&username[USERNAME]&client_node_id=[ID]&client_module_id=[ID]&client_id=[ID]

The supported URL parameters for selecting a user are listed below. You can select a user by username or by PID:

  • user_node_id=[ID] – The node ID for the Inbound Security module associated with the user.
  • user_module_id=[ID] – The module ID for the Inbound Security module associated with the user.
  • username_issuer=[ISSUER URL] – (*optional) If the user was created through a federated OAUth2 login, the issuer URL should be placed in this parameter.
  • username=[USERNAME] – The username to search for.

or

  • user_pid=[PID] – The PID for the user to search for. If this parameter is specified, it is not necessary to specify the node ID, module ID or username. If those three parameters are specified, this parameter is not necessary.

The supported URL parameters for selecting a client are listed below:

  • client_node_id – The node ID for the SMART Outbound Security module associated with the client.
  • client_module_id – The module ID for the SMART Outbound Security module associated with the client.
  • client_id – The client ID.

Response:

This operation will return an HTTP 204 NO CONTENT if it is successful.

36.10.4Revoke All Tokens

 
This method requires the OPENID_CONNECT_MANAGE_GLOBAL_SESSIONS permission.

This method will revoke any access tokens and refresh tokens that have a specific scope approved.


Request:

DELETE http://localhost:9000/openid-connect-sessions/revoke/all-tokens?node_id=[ID]&module_id=[ID]&scope=[SCOPE]

The supported URL parameters are listed below:

  • node_id=[ID] – The node ID for the SMART Outbound Security module to revoke tokens for.
  • user_module_id=[ID] – The module ID for the SMART Outbound Security module to revoke tokens for.
  • scope=[SCOPE] – An OAuth2 scope. Any access or refresh tokens with this scope approved will be revoked. Note that this can include scopes that were explicitly requested by the client and approved by the user, but it can also include scopes that were autogranted, or added in the onTokenGenerating script.

Response:

This operation will return an HTTP 200 OK if it is successful. The response object will indicate the number of access tokens and refresh tokens that were revoked. An example is shown below.

{
  "accessTokenRevokedCount": 3,
  "refreshTokenRevokedCount": 2
}