Trying to Better Understand ClientApplications and Logins medplum #support

Trying to Better Understand ClientApplications and...

dvidsilva

11/29/2023, 6:01 PM

Hi! posting 2 questions. Non blockers. We're releasing to prod soon with a self hosted instance in AWS, is been a fun process we'll share more about. Thank Github Copilot for saving you from many of my questions. We're releasing a simple form signatures, turn to pdf and store product, loving it, the server runs, installed packages/app independently to use as a dashboard, we manage to send emails thru SES and reset password works. I still don't undertstand the whole Project and super admin part, so we're disabling register and leaving it at that. 1 - Would love to create an access_token I can return to a third party so that they have a shorter URL, the patient uses that with an id they know, the token only allows one user to edit itself and I expire it after the first edit. This to prevent a token leaking. Currently solving with an amount of custom code, but was hoping I could programatically log a Patient in and create one and then log them off from the server side and ClientApplications for each patient basically. 2 - Would love to see the super admin part, I deployed the dashboard and register and then disabled register to prevent me creating junk data, and so I'm limited to a Provider only view and not sure where or how to activate the super admin, I don't have any live data, so I could recreate the environment if needed, except after we launch hopefully soon.

rahul1

11/30/2023, 1:04 AM

Hi @dvidsilva , congratulations on your upcoming production release. That's super exciting. If you don't mind sharing with the community, we'd love to know the name of your company 1. The feature of 1-time access tokens is an interesting one. Do you mind describing your exact use case? I'm not sure there is a perfect solution here, but you could use the medplum client to log someone in, make the edit, and then signout using the

signOut

method. https://www.medplum.com/docs/sdk/core.medplumclient.signout 2. This document talks a bit more about projects, including how to access the super admin project. Let me know if you have any more questionsL: https://www.medplum.com/docs/access/projects

dvidsilva

11/30/2023, 1:34 AM

Thanks @rahul1 ! is called Lotus AI, got this domain lotuscares.ai 1 - the flow is something like this, the patient is going to receive a link from the medical practice that points to a form, they fill out the answers, we capture it create a pdf and send it to their EHR. The code is running on the server so it doesn't have access to the medplum client, we're using the REST api 2 - I think I get it a bit more then, I don't think I see a super admin project tho, could try to see that on the next deploy. Currently the user I registered seems to be an admin of one project, and I got a second user in that project using the dashboard

eversgregly

11/30/2023, 5:36 PM

Hi there, @rahul1 . My name is Gregory Everitt, and I'm a contractor who is working with @dvidsilva until the end of the week. I was playing around with SMART scopes in an attempt to limit each access token to creating `QuestionnaireResponse`s that have the specific patient the token was created for as the response's

subject

, but I find that I can use the token to create responses for arbitrary patients, not just the one specified in this following

scope

header that I sent to `oauth2/token`:

openid patient/QuestionnaireResponse.c Questionnaire.rs

Now, this isn't a surprise to me necessarily, because HL7's SMART spec (https://hl7.org/fhir/smart-app-launch/backend-services.html#scopes) seems to say that the

patient/

prefix is meaningless unless the patient is the one who logged in, but Medplum's own SMART scope documentation (https://hl7.org/fhir/smart-app-launch/backend-services.html#scopes) suggests that this should work so long as I provide the additional HTTP header

patient=PATIENT_ID

. Is there something I'm missing, or do we just need to log in as the patient if we want to achieve this sort of security? PS: Perhaps less pressingly, I noticed that if I remove the

patient/

prefix from

patient/QuestionnaireResponse.c

then the server lets me create new patients with the access token and forbids me otherwise. I'm not sure what that's all about. PPS: I'm running Medplum server v2.1.20 on my local machine, and I will post example requests and responses in a followup message.

eversgregly

11/30/2023, 5:42 PM

Request for access token:

Copy code

curl --location 'localhost:8103/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--header 'Authorization: Basic CLIENT_ID_AND_SECRET' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=openid patient/QuestionnaireResponse.c Questionnaire.r' \
--data-urlencode 'patient=AUTHORIZED_PATIENT_ID'

eversgregly

11/30/2023, 5:44 PM

Request to create a questionnaire response for the authorized patient:

Copy code

curl --location 'localhost:8103/fhir/R4/QuestionnaireResponse' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ACCESS_TOKEN' \
--data '{
    "resourceType": "QuestionnaireResponse",
    "subject": {
        "reference": "Patient/AUTHORIZED_PATIENT_ID"
    }
}'

Response:

Copy code

{
  "resourceType": "QuestionnaireResponse",
  "subject": {
    "reference": "Patient/AUTHORIZED_PATIENT_ID"
  },
  "id": "cda58d50-a664-4685-a360-3ad8ece11c46",
  "meta": {
    "versionId": "57f9173d-af39-459a-86a4-f3ca5611db4c",
    "lastUpdated": "2023-11-30T17:42:49.042Z"
  }
}

eversgregly

11/30/2023, 5:50 PM

Finally, here is the request to create a questionnaire response for a patient whose ID was not specified during the creation of the access token, along with the response with the unexpected success message:

Copy code

curl --location 'localhost:8103/fhir/R4/QuestionnaireResponse' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ACCESS_TOKEN' \
--data '{
    "resourceType": "QuestionnaireResponse",
    "subject": {
        "reference": "Patient/UNAUTHORIZED_PATIENT_ID"
    }
}'

And the response:

Copy code

{
  "resourceType": "QuestionnaireResponse",
  "subject": {
    "reference": "Patient/UNAUTHORIZED_PATIENT_ID"
  },
  "id": "04b9ec21-5343-4a90-9ee0-287543851841",
  "meta": {
    "versionId": "441c6c51-d2ae-435b-abb5-ca3e1d87bb94",
    "lastUpdated": "2023-11-30T17:46:49.382Z"
  }
}

rahul1

12/04/2023, 11:28 PM

> 2 - I think I get it a bit more then, I don't think I see a super admin project tho, could try to see that on the next deploy. Currently the user I registered seems to be an admin of one project, and I got a second user in that project using the dashboard Hi @dvidsilva , sorry for the confusion. By default

admin@example.com

is the only user registered in the Super Admin project. After you login using those credentials, you can invite your own user to the project https://www.medplum.com/docs/contributing/run-the-stack#start-the-servers

rahul1

12/04/2023, 11:50 PM

Gregory, thanks for the thoughtful question. Unfortunately, I'm not deeply well versed with smart scopes so I'll need to do some research and get back to you with a more thoughtful answer

dvidsilva

12/05/2023, 10:42 PM

oh got it! missed that password for some reason. thanks!

Previous Next