-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update smart-configuration and metadata for SMART on FHIR #3697
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some preliminary comments on the code, haven't looked at tests yet.
src/Microsoft.Health.Fhir.Core/Features/Conformance/GetSmartConfigurationHandler.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Health.Fhir.Core/Features/Conformance/GetSmartConfigurationHandler.cs
Show resolved
Hide resolved
src/Microsoft.Health.Fhir.Core/Features/Conformance/GetSmartConfigurationHandler.cs
Show resolved
Hide resolved
src/Microsoft.Health.Fhir.Core/Features/Conformance/Providers/WellKnownConfigurationProvider.cs
Show resolved
Hide resolved
src/Microsoft.Health.Fhir.Shared.Api/Features/Security/SecurityProvider.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Health.Fhir.Shared.Api/Features/Security/SecurityProvider.cs
Show resolved
Hide resolved
....Health.Fhir.Shared.Core.UnitTests/Features/Conformance/GetSmartConfigurationHandlerTests.cs
Outdated
Show resolved
Hide resolved
|
||
using HttpClient client = _httpClientFactory.CreateClient(); | ||
using var smartConfigurationRequest = new HttpRequestMessage(HttpMethod.Get, configurationUrl); | ||
HttpResponseMessage response = await client.SendAsync(smartConfigurationRequest, cancellationToken); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you leave Auth/Audience blank in appsettings, and simply run the OSS server, and then hit the .well-known/smart-configuration endpoint, you get an endless loop as the server makes a request against it's own endpoint :).
I also wonder if we can't rely on an Oauth compliant IDP and then provide the "smart" compliance ourselves? I am concerned that there may be few full "smart" compliant IDPs and we may limit the usability of this if we can't augment Oauth to provide a well-known/smart-configuration endpoint from the FHIR service, which in turn relies on the .well-known/openid-configuration of the IDP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you leave Auth/Audience blank in appsettings, and simply run the OSS server, and then hit the .well-known/smart-configuration endpoint, you get an endless loop as the server makes a request against it's own endpoint :).
I guess I'm not sure why this would happen. If you leave Authority blank, does the SecurityConfiguration.Authentication.Authority
value get populated some other way? The GetConfigurationUrl
method below expects that if both values are null or empty, null should be returned here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If Security is true, but no Auth or Audience is specified we use an in memory Identity Provider which loads users, roles and permitted data actions from role.json. This is for testing purposes. It will publish an authorize and token endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also wonder if we can't rely on an Oauth compliant IDP and then provide the "smart" compliance ourselves? I am concerned that there may be few full "smart" compliant IDPs and we may limit the usability of this if we can't augment Oauth to provide a well-known/smart-configuration endpoint from the FHIR service, which in turn relies on the .well-known/openid-configuration of the IDP.
I have a solution for this and we can talk about where this solution belongs (either this repository or a separate one). The main issue with SMART is that the response from .well-known/smart-configuration contains capabilities representing both the FHIR server and the IDP. The capabilities of the FHIR server and the IDP need to be combined by the implementor. This probably means that there are settings that need to be configured depending on the IDP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If Security is true, but no Auth or Audience is specified we use an in memory Identity Provider which loads users, roles and permitted data actions from role.json. This is for testing purposes. It will publish an authorize and token endpoint.
I added a condition to address this specific case. Let me know what you think.
|
||
_messageHandler = new TestHttpMessageHandler(); | ||
_httpClientFactory = Substitute.For<IHttpClientFactory>(); | ||
_httpClientFactory.CreateClient().Returns(new HttpClient(_messageHandler)); |
Check warning
Code scanning / CodeQL
Missing Dispose call on local IDisposable
e1b5d68
to
2b8e616
Compare
Description
Testing
FHIR Team Checklist
Semver Change (docs)
Patch|Skip|Feature|Breaking (reason)