Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/awslabs/fhir-works-on-aws-authz-smart

A SMART on FHIR v1.0.0 implementation of the FHIR Works on AWS framework, utilizing OAuth2/OIDC authorization server to authorize requests

https://github.com/awslabs/fhir-works-on-aws-authz-smart

Science Score: 10.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
    1 of 16 committers (6.3%) from academic institutions
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.3%) to scientific vocabulary

Keywords

aws fhir fhir-works healthcare hl7 nodejs smart typescript

Keywords from Contributors

diagram dynamodb-cli labels interaction
Last synced: 5 months ago · JSON representation

Repository

A SMART on FHIR v1.0.0 implementation of the FHIR Works on AWS framework, utilizing OAuth2/OIDC authorization server to authorize requests

Basic Info
  • Host: GitHub
  • Owner: awslabs
  • License: apache-2.0
  • Language: TypeScript
  • Default Branch: mainline
  • Homepage:
  • Size: 837 KB
Statistics
  • Stars: 31
  • Watchers: 6
  • Forks: 20
  • Open Issues: 0
  • Releases: 0
Archived
Topics
aws fhir fhir-works healthcare hl7 nodejs smart typescript
Created over 5 years ago · Last pushed almost 3 years ago
Metadata Files
Readme Changelog Contributing License Code of conduct Codeowners

README.md

fhir-works-on-aws-authz-smart

This GitHub repository has been migrated. You can now find FHIR Works on AWS at https://github.com/aws-solutions/fhir-works-on-aws.

Upgrade notice

Versions 3.1.1 and 3.1.2 of the fhir-works-on-aws-authz-smart package have been deprecated for necessary security updates. Please upgrade to version 3.1.3 or higher. For more information, see the fhir-works-on-aws-authz-smart security advisory.

Purpose

This package is an implementation of the authorization interface from the FHIR Works interface. It uses the Substitutable Medical Applications, Reusable Technologies (SMART on FHIR) specification v1.0.0 to authorize users. Requests are authorized if the requestor or the patient in context is referenced in the resource in question.

To use and deploy this component please follow the overall smart-mainline branch README

Assumptions

The following assumptions have been made while creating this package:

  • An OAuth2 OpenID Connect authorization server already exists and is used as, or in conjunction with, an identity provider.
    • The OAuth2 server complies with the SMART on FHIR specification
    • The OAuth2 server has a JSON Web Key Set endpoint used to get the key for verifying incoming access tokens
  • The identity provider has a user claim (either fhirUser or profile) representing who this user is in context to this FHIR server. This user must be represented by a fully qualified URL in the claim.
    • As an example, the fhirUser claim should look like: https://www.fhir.com/Patient/1234
    • When using user scopes it is assumed that the fhirUser will be in the access token to determine who the requestor is
  • launch scopes and contextual request will be handled by the authorization server.
  • Once launch context is given to the authorization server it will be included with a patient scope and the Patient's resourceType and id in the launch_response_patient claim within the access token.
    • As an example, the launch_response_patient claim should look like: Patient/id

Authorization

This packages uses SMART scopes and the references found in the resources as a way to determine access. Scopes are used to tell the authorization and resource server what access the requestor has. In addition, the references are used to do further authorization, in an attribute based access control model.

Scopes

This resource server supports SMART' v1.0.0 clinical scopes. There are some assumptions made on the authorization and resource server relationship:

  • For patient scopes, there must be a launch_response_patient claim in the access token.
  • For user scopes, there must be a fhirUser claim in the access token.
  • The access modifiers read and write will give permissions as defined in the incoming SMARTConfig.

The resource server also supports SMART's Flat FHIR or Bulk Data system scope. system scopes have the format system/(:resourceType|*).(read|write|*)– which conveys the same access scope as the matching user format user/(:resourceType|*).(read|write|*).

Attribute Based Access Control (ABAC)

This implementation of the SMART on FHIR specification uses attribute based access control. Access to a resource is given if one of the following statements is true:

  • The fhirUser making the request is considered an Admin (default configuration makes a Practitioner an admin).
  • The fhirUser making the request or the patient in context is looking up their own resource (verified via the resourceType and id).
  • The fhirUser making the request or the patient in context is referenced in the resource in which they are taking action on.

As an example below, the Patient resource is accessible by:

  • Admins of the system
  • Requests with the usage of the system scope
  • Patient/example: via resourceType and id check
  • Patient/diffPatient: because it is referenced in the link field
  • Practitioner/DrBell: because it is referenced in the generalPractitioner field

json // Example Patient resource with references { "resourceType": "Patient", "id": "example", "generalPractitioner": [ { "reference": "Practitioner/DrBell" } ], "link": [ { "type": "seealso", "other": { "reference": "Patient/diffPatient" } } ], "address": [ { "period": { "start": "1974-12-25" }, "city": "London", "use": "home", "line": ["221b Baker St"], "district": "Marylebone", "postalCode": "6XE", "text": "221b Baker St, Marylebone, London NW1 6XE, United Kingdom", "type": "both" } ], "deceasedBoolean": false, "name": [ { "family": "Holmes", "given": ["Sherlock"], "use": "official" } ], "gender": "male", "active": true }

Usage

Add this package to your package.json file and install as a dependency. For usage examples please see the deployment component's package.json

Configuration

The SMART specification gives a lot of room for interpretation between the resource and authorization server relationship. With this in mind we developed our SMART implementation to be flexible. The configurations currently available can be viewed in the SMARTConfig.

SMART on FHIR scope rules

Within the SMARTConfig you can see an example implementation of a ScopeRule. The ScopeRule says which operations a scope gives access to. For example, the user/*.write scope provides access to 'create' resource but not 'update' resource.

For an example usage of the SMARTConfig, please see authZConfig.ts in the deployment package.

Dependency tree

This package is dependent on:

Known issues

You can track the issues on the GitHub repository.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Owner

  • Name: Amazon Web Services - Labs
  • Login: awslabs
  • Kind: organization
  • Location: Seattle, WA

AWS Labs

GitHub Events

Total
  • Watch event: 1
Last Year
  • Watch event: 1

Committers

Last synced: almost 3 years ago

All Time
  • Total Commits: 95
  • Total Committers: 16
  • Avg Commits per committer: 5.938
  • Development Distribution Score (DDS): 0.674
Past Year
  • Commits: 26
  • Committers: 8
  • Avg Commits per committer: 3.25
  • Development Distribution Score (DDS): 0.769
Top Committers
Name Email Commits
Robert Smayda s****4@g****m 31
dependabot[bot] 4****]@u****m 17
Yanyu Zheng y****0@c****u 10
Nestor Carvantes c****s@g****m 9
Sukeerth Vegaraju s****u@y****n 9
Tim Nguyen n****2@u****m 6
kcadette 7****e@u****m 4
Amazon GitHub Automation 5****o@u****m 1
Will St. Clair w****l@w****m 1
john j****s@u****m 1
Sanket Dharwadkar s****d@a****m 1
Sukeerth Vegaraju s****u@g****m 1
vkuzbida-abacus 7****s@u****m 1
Emil Diaz e****z@u****m 1
nisankep 1****p@u****m 1
Joshua Shaver 7****r@u****m 1
Committer Domains (Top 20 + Academic)
amazon.com: 1 willstclair.com: 1 yahoo.co.in: 1 columbia.edu: 1

Issues and Pull Requests

Last synced: 9 months ago

All Time
  • Total issues: 12
  • Total pull requests: 88
  • Average time to close issues: about 1 month
  • Average time to close pull requests: 8 days
  • Total issue authors: 9
  • Total pull request authors: 13
  • Average comments per issue: 3.17
  • Average comments per pull request: 0.77
  • Merged pull requests: 83
  • Bot issues: 0
  • Bot pull requests: 16
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • medhost-gkersting (3)
  • liquid36 (2)
  • lquanx (1)
  • jeffbonasso-ambifi (1)
  • sdan22 (1)
  • nirojshrestha019 (1)
  • gopalp19 (1)
  • jaytpeters (1)
  • nguyen102 (1)
Pull Request Authors
  • rsmayda (28)
  • dependabot[bot] (16)
  • Bingjiling (12)
  • ssvegaraju (10)
  • carvantes (9)
  • kcadette (5)
  • lquanx (2)
  • SanketD92 (1)
  • john-aws (1)
  • nisankep (1)
  • medhost-jshaver (1)
  • vkuzbida-abacus (1)
Top Labels
Issue Labels
bug (5) customer-inquiry (4) closing-soon-if-no-response (3) enhancement (2) question (1) documentation (1)
Pull Request Labels
size/xs (20) size/s (20) dependencies (18) size/xl (13) documentation (11) size/m (10) auto-release-pr (4) bug (4) enhancement (3) chore (2) size/l (1)

Packages

  • Total packages: 2
  • Total downloads:
    • npm 62 last-month
  • Total dependent packages: 1
    (may contain duplicates)
  • Total dependent repositories: 0
    (may contain duplicates)
  • Total versions: 38
  • Total maintainers: 3
  • Total advisories: 1
proxy.golang.org: github.com/awslabs/fhir-works-on-aws-authz-smart
  • Versions: 19
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Dependent packages count: 5.5%
Average: 5.7%
Dependent repos count: 5.9%
Last synced: 6 months ago
npmjs.org: fhir-works-on-aws-authz-smart

FHIR Works on AWS SMART on FHIR authorization

  • Versions: 19
  • Dependent Packages: 1
  • Dependent Repositories: 0
  • Downloads: 62 Last month
Rankings
Forks count: 6.1%
Stargazers count: 9.4%
Average: 14.6%
Downloads: 16.1%
Dependent packages count: 16.2%
Dependent repos count: 25.3%
Maintainers (3)
amzn-oss aws-chamonix-dev wwps-psh-dev
Advisories (1)
Last synced: 11 months ago

Dependencies

package.json npm
  • @types/jest ^26.0.19 development
  • @types/jsonwebtoken ^8.5.0 development
  • @types/lodash ^4.14.161 development
  • @types/node ^12 development
  • @typescript-eslint/eslint-plugin ^4.33.0 development
  • @typescript-eslint/parser ^4.33.0 development
  • axios-mock-adapter ^1.18.2 development
  • eslint ^7.32.0 development
  • eslint-config-airbnb-base ^14.2.1 development
  • eslint-config-prettier ^8.3.0 development
  • eslint-plugin-import ^2.24.2 development
  • eslint-plugin-prettier ^4.0.0 development
  • jest ^26.6.3 development
  • jest-mock-extended ^1.0.8 development
  • jose ^3.5.1 development
  • prettier ^2.4.1 development
  • standard-version ^9.3.2 development
  • ts-jest ^26.4.4 development
  • typescript ^4.1.3 development
  • axios ^0.21.4
  • fhir-works-on-aws-interface ^11.1.0
  • jsonwebtoken ^8.5.1
  • jwks-rsa ^1.12.1
  • lodash ^4.17.21
yarn.lock npm
  • 764 dependencies
.github/workflows/codeql-analysis.yml actions
  • actions/checkout v2 composite
  • github/codeql-action/analyze v1 composite
  • github/codeql-action/init v1 composite
.github/workflows/labeler.yml actions
  • codelytv/pr-size-labeler v1 composite
.github/workflows/release-pr.yml actions
  • actions/checkout v2.3.4 composite
  • actions/setup-node v1 composite
  • repo-sync/pull-request v2 composite
.github/workflows/tag-and-publish.yml actions
  • JS-DevTools/npm-publish v1 composite
  • actions/checkout v2.3.4 composite
  • actions/setup-node v1 composite
.github/workflows/unit-test.yaml actions
  • actions/checkout v2 composite
  • actions/setup-node v1 composite