forked from awslabs/fhir-works-on-aws-authz-smart
-
Notifications
You must be signed in to change notification settings - Fork 0
/
smartConfig.ts
127 lines (119 loc) · 3.95 KB
/
smartConfig.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*/
import { KeyValueMap } from 'fhir-works-on-aws-interface';
import { Headers } from 'jwks-rsa';
export type ScopeType = 'patient' | 'user' | 'system';
export type AccessModifier = 'read' | 'write' | '*';
export type IdentityType = 'Patient' | 'Practitioner' | 'Person ' | 'RelatedPerson';
export interface ClinicalSmartScope {
scopeType: ScopeType;
resourceType: string;
accessType: AccessModifier;
}
export type AccessRule = {
read: (
| 'read'
| 'vread'
| 'history-type'
| 'history-instance'
| 'search-type'
| 'transaction'
| 'batch'
| 'search-system'
| 'history-system'
)[];
write: ('transaction' | 'batch' | 'create' | 'update' | 'delete' | 'patch')[];
};
/**
* Determines what each scope has access to do
* Scope `patient/Patient.read` maps to `scopeRule.patient.read` operations
* @example
* {
* patient: {
* read: ['read','search-type'],
* write: [],
* },
* user: {
* read: ['read','search-type', 'vread'],
* write: ['transaction','update', 'patch', 'create'],
* },
* system: {
* read: ['read','search-type', 'vread'],
* write: [],
* },
* };
*/
export interface ScopeRule {
patient: AccessRule;
user: AccessRule;
system: AccessRule;
}
export type FhirResource = { hostname: string; resourceType: string; id: string };
export interface UserIdentity extends KeyValueMap {
scopes: string[];
fhirUserObject?: FhirResource;
patientLaunchContext?: FhirResource;
}
export interface IntrospectionOptions {
/**
* Your FHIR server's ID, typically generated by your idp.
*/
clientId: string;
/**
* Your FHIR server's password, typically generated by your idp.
*/
clientSecret: string;
/**
* The introspection url where we will send the access_token to get verified
* @example http://www.authzserver.com/v1/introspect/
*/
introspectUrl: string;
}
export interface SMARTConfig {
version: number;
/**
* Within the access_token the scopes are typically sent in the 'scp' or 'scope' key
*/
scopeKey: string;
/**
* Defined more below
*/
scopeRule: ScopeRule;
/**
* Per SMART spec this is the 'aud' key found in the access_token
*
* Using the string type is recommended. RegExp can be useful when the audience is not static, such as in multi-tenant setups.
* Caution must be taken to avoid overly permissive regular expressions (e.g. avoid using .*). Use regular expressions that are as specific as possible to avoid allowing requests from unexpected audiences.
*/
expectedAudValue: string | RegExp;
/**
* Per SMART spec this is the 'iss' key found in the access_token
*/
expectedIssValue: string;
/**
* Path of the claim found in the access_token that represents the requestors FHIR Id. SMART compliant AuthZ servers should use the `fhirUser` claim, but can use a path if needed.
* @example fhirUser
* @example ext.addedClaims.fhirUser
*/
fhirUserClaimPath: 'fhirUser' | 'profile' | string;
/**
* Prefix of the path found in the access_token that represents the requestors launch context. The remaining part of the claim will identify the resource type i.e. `launch_response_patient`
* @example launch_response_
* @example ext.launch_response_
*/
launchContextPathPrefix: string;
/**
* Json Web Key Set endpoint used to get the key for verifying access_token
*/
jwksEndpoint?: string;
/**
* Headers that will be used for Json Web Key Set endpoint
*/
jwksHeaders?: Headers;
/**
* Token introspection settings; if both introspection and jwksEndpoint are provided tokenIntrospection will be defaulted to.
*/
tokenIntrospection?: IntrospectionOptions;
}