search

onc-healthit / onc-certification-g10-test-kit

ONC Certification (g)(10) Standardized API Tests
Apache License 2.0
34 stars 12 forks source link

token did not contain patient field #317

Closed floofydoug closed 2 years ago

floofydoug commented 2 years ago

Hello,

I am currently running: 

ONC Certification (g)(10) Standardized API
V.3.2.0
US Core 4.0.0 / USCDI v1, SMART App Launch 1.0.0, Bulk Data 1.0.1

I am running into an issue on Standalone Patient Access tests 1.3.10: 

1.3.10 OAuth token exchange response body contains patient context and patient resource can be retrieved
Token response did not contain patient field

However, this is my decoded testing Access Token straight from the test itself. 

{
  "fhirUser": "https://xxxxxxxx-dev.execute-api.us-east-1.amazonaws.com/dev/tenant/sitetenant/Practitioner/c75ed693-8fbb-4898-9077-efffaa2b5816",
  "launch_response_patient": "Patient/81f65d61-8f91-4472-b668-0efc0aceb0f2",
  "patient": "Patient/81f65d61-8f91-4472-b668-0efc0aceb0f2",
  "iss": "https://auth.xxxxxxxx-dev.com/",
  "sub": "auth0|6337172c911d688dfd4ebe52",
  "aud": [
    "https://xxxxxxxx-dev.execute-api.us-east-1.amazonaws.com/dev/tenant/sitetenant",
    "https://xxxxxxxx-dev.us.auth0.com/userinfo"
  ],
  "iat": 1666737071,
  "exp": 1666823471,
  "azp": "LjW5fxiqesQMMxr5EgX8R6iiMk77DUnr",
  "scope": "launch/patient fhirUser patient/Medication.read patient/AllergyIntolerance.read patient/CarePlan.read patient/CareTeam.read patient/Condition.read patient/Device.read patient/DiagnosticReport.read patient/DocumentReference.read patient/Encounter.read patient/Goal.read patient/Immunization.read patient/Location.read patient/MedicationRequest.read patient/Observation.read patient/Organization.read patient/Patient.read patient/Practitioner.read patient/Procedure.read patient/Provenance.read patient/PractitionerRole.read openid email profile offline_access",
  "permissions": [
    "fhirUser",
    "launch",
    "launch/patient",
    "patient/*.*",
    "patient/AllergyIntolerance.read",
    "patient/CarePlan.read",
    "patient/CareTeam.read",
    "patient/Condition.read",
    "patient/Device.read",
    "patient/DiagnosticReport.read",
    "patient/DocumentReference.read",
    "patient/Encounter.read",
    "patient/Goal.read",
    "patient/Immunization.read",
    "patient/Location.read",
    "patient/Medication.read",
    "patient/MedicationRequest.read",
    "patient/Observation.read",
    "patient/Organization.read",
    "patient/Patient.read",
    "patient/Practitioner.read",
    "patient/PractitionerRole.read",
    "patient/Procedure.read",
    "patient/Provenance.read",
    "patient/*.read",
    "user/*.*"
  ]
}

There is definitely a patient on this token. Is there something else that I am missing?

Jammjammjamm commented 2 years ago

An access token is considered opaque, and the system that receives one is not expected to do anything with it other than send it back to the system that granted it in the Authorization header. An access token could be something like a JWT that can be decoded, but that is not a requirement so there is no expectation for clients to decode an access token.

The patient id needs to be in the response to the token request, not in the token itself. http://hl7.org/fhir/smart-app-launch/app-launch.html#response-5 http://hl7.org/fhir/smart-app-launch/example-app-launch-public.html#retrieve-access-token

floofydoug commented 2 years ago

Ahh, I see. I guess I will need a proxy to add that outside of my IDP. Thank you @Jammjammjamm