-
Notifications
You must be signed in to change notification settings - Fork 5
Authorization & Launch Sequence
The first step is to obtain an authorization code from the auth server. The endpoint for this is /oauth/authorization and the query parameters are:
| Parameter | Value |
|---|---|
response_type |
code |
client_id |
The client id |
redirect_uri |
The URI to redirect to with the code |
scope |
The SMART on FHIR Access Scope |
state |
Unique ID generated by the client for this interaction |
aud |
The fhir base URL for the CPCDS server (http://localhost:8080/cpcds-server/fhir) |
Example:
GET http://localhost:8080/cpcds-server/oauth/authorization?response_type=code&
client_id=user689&redirect_uri=http://localhost:3000/index&
scope=patient/*.read&state=12345abc&aud=http://localhost:8080/cpcds-server/fhir
The response to the GET request is a redirection to the provided redirect_uri with the following query parameters:
| Parameter | On | Value |
|---|---|---|
code |
Success | The authorization code for the client |
state |
Success | Echo of state parameter in the request |
error |
Failure | Error code defined in RFC 6749 |
Example:
HTTP/1.1 302 Found
Location: http://localhost:3000/index?code=abc123&state=12345abc
Note: The authorization code is only valid for 2 minutes.
After obtaining an authorization code it is exchanged for an access token. To obtain an access token (which is valid for 1 hour) use the /oauth/token endpoint with the following query parameters:
| Parameter | Value |
|---|---|
grant_type |
authorization_code |
code |
The authorization code returned by the /authorization endpoint |
redirect_uri |
The same redirect_uri from the /authorization request |
The client must also include a basic Authorization header with the value base64Encode(client_id:client_secret) and use Content-Type of application/x-www-form-urlencoded.
Note: If the user is admin the access token will be vaild for a few years.
Example:
POST HTTP/1.1
Authorization: Basic MTpwYXNzd29yZA==
Content-Type: application/x-www-form-urlencoded
http://localhost:8080/cpcds-server/oauth/token?grant_type=authorization_code&
code=abc123&redirect_uri=http://localhost:3000/index
The response to the POST is a JSON object with the following values:
| Key | Value |
|---|---|
access_token |
The access token for the protected resource |
token_type |
bearer |
expires_in |
The seconds until expiration (3600) |
The access_token is valid for 1 hour and can be used to query protected resources from the CPCDS Server. Admin tokens will be valid for 2000 days. For more details on how to use the CPCDS Server view the README.