Server Scopes (openemr#4124)

* Server Scopes
- consolodated all scope handling to ScopeRepository
- fixed up fhir metadata and moved scope qualify for smart well known to scope repository

* - bump oidc server lib

* - adj version

* - breakup fhir meta resource
- finish scope consolidation

_rest_config.php

@@ -53,7 +53,7 @@ class RestConfig
  // you can guess what the rest are!
  public static $VENDOR_DIR;
  public static $SITE;
-
+ public static $apisBaseFullUrl;
  public static $webserver_root;
  public static $web_root;
  public static $server_document_root;
@@ -428,54 +428,6 @@ public function authenticateUserToken($tokenId, $userId): bool
  private function __clone()
  {
  }
-
- // nonce claim and nonce scope is handled by server logic.
- // I'm still unsure how'd support id_tokens unless we persist them in DB.
- public static function supportedClaims(): array
- {
- return array(
- "name",
- "email",
- "email_verified",
- "family_name",
- "given_name",
- "fhirUser",
- "locale", //
- "aud", //client_id
- "iat", // token create time
- "iss", // token issuer(https://domain)
- "exp", // token expiry time.
- "sub" // the subject of token. usually patient UUID.
- );
- }
- // change these as appropriate or where needed.
- // smart scopes are provided here for sake of example.
- public static function supportedScopes(): array
- {
- return array(
- "openid",
- "profile",
- "name",
- "given_name",
- "family_name",
- "nickname",
- "phone",
- "phone_verified",
- "address",
- "email",
- "email_verified",
- "offline_access", // long lived refresh token issued. we do anyway wanted or not.
- "fhirUser",
- "api:oemr",
- "api:fhir",
- "api:port",
- "api:pofh",
- "patient/Patient.read", // Permission to read a resource for the current server signed in patient. i.e patient is from pid(UUID) claims user_id/subject(sub).
- "user/*.*", // Permission to read and write all resources that the current user can access. Ditto
- "launch", // Permission to retrieve information about the current logged-in user i.e logged into auth server.
- "launch/patient" // Permission to obtain launch context when app is launched from an EHR
- );
- }
 }
 
 // Include our routes and init routes global

apis/dispatch.php

@@ -109,6 +109,8 @@
 $sessionAllowWrite = true;
 require_once("./../interface/globals.php");
 
+$gbl::$apisBaseFullUrl = $GLOBALS['site_addr_oath'] . $GLOBALS['webroot'] . "/apis/" . $gbl::$SITE;
+
 if ($isLocalApi) {
  // need to check for csrf match when using api locally
  $csrfFail = false;

composer.json

@@ -58,7 +58,7 @@
  "vlucas/phpdotenv": "5.2.0",
  "waryway/php-traits-library": "1.0.4",
  "yubico/u2flib-server": "1.0.2",
- "steverhoades/oauth2-openid-connect-server": "1.2",
+ "steverhoades/oauth2-openid-connect-server": "1.3",
  "nyholm/psr7": "1.3.2",
  "nyholm/psr7-server": "1.0.1",
  "lcobucci/jwt": "dev-342php8 as 3.4.9",