Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Smart standalone patientrole migrate (openemr#4177)
* OAUTH2 Standalone Provider Patient Selector Implemented a patient selector for oauth2 standalone launch. Also made it so we could have some primitive unit tests on the Gacl class with resetting the ACL cache. Wrote a smart auth class for any context / ui needs that are required as part of the oauth2 flow. Eventually if ONC requires the context-launch-encounter piece we can easily add to this class to facilitate additional selector flows. Implemented ACL checks and a search class to be used as part of the oauth2 flow for patients. * Patient Endpoint, SMART Standalone launch changes. Changed fhirUser to be a Person resource instead of Practitioner as not all users are clinician staff. Implemented the Person resource and their Read only pieces. Added some logging so we could debug session problems. Fixed prior commit that was removing the Scope authorization. * Register App standalone scope selection and ux/ui. Made the UI look more consistent with the login page and so it follows other styling of the login pages. Made it so the app registration can choose what scopes they are wanting to have with their app. * migrate patientrole to main fhir api route * Centralized scope checks for rest api. Perm update Updated the scope permissions so that only the ones we currently support for patient/<resource>.* is supported. Centralized the scope checks in the HttpRestRouteHandler to remove redundant code from the routes and to make sure all possible routes are checked against the access code. This also prevents developers who extend the api from accidently forgetting to check against the AccessToken. For now I've only enabled it on the FHIR api, but if it tests well we can open it up to the rest of the APIs. * Fix patient routes to use patient uuid. * Better error log / debug logs on oauth2 client validation * Fix fhirUser claim for patient context login. * Standalone SMART response handler Fixed some scope permission checks. Refactored the route parsing algorithm into its own class that can be unit tested against. The parsing logic could then be leveraged in the scope auth check which made matching against the REST FHIR resource a lot easier. Added the additional SMART capabilities we now support with patient standalone and launch standalone. Fixed the refresh token issues. We don't send patient context parameters as part of the refresh_grant oauth2 flow so we only send the parameters now in the authorization_grant flow inside our SMARTResponse object. There may be a better way to make this work, but for now this is functioning. * Offline access support, client-public support. Got the client-public support working by disabling the client_challenge (PKCE support) on public profile oauth2 clients. This is required for ONC inferno testing w/ public clients. V2 of SMART is indicating this will be required back, so hopefully ONC issues an update at some point. Also made it so the offline_access works by restricting the refresh_token issued when offline_access isn't present. * Fix unit tests and style problems. * Fix patient context missing for standalone. Fixing the refresh token issues broke the patient context missing due to the way the ResponseType object was cloned for the League AuthorizationController. * Inferno Limited Scope Authorization Implemented a logged in user being able to restrict what scopes they are giving access to for the requesting application. This allows OpenEMR users to prevent an application from giving offline_access (credentials past the 1 hour access token), and other resources to an application that they don't want to provide. * Fix style errors. * Fix translate, escape, and comments.
- Loading branch information