Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
Excerpt

Description of how to mock context.

Setting the available context

In order to set the available context, the AS can be requested with a base64 encoded PrivilegeList xml XML document. This is enabled on a special test client with the id "oio_mock".

Mocking context supports acces access token requests using either a refresh token or username/password.

Pararmeter name

Description

Since version

client_id

Required. The OAuth2 client id


grant_type

Required. Value ‘refresh_token’ or 'password'


refresh_token (grant_type = refresh_token )

Required. The refresh token of the current session


username (grant_type = password)

Required. The username of a keycloak user.


password (grant_type = password)

Required. The password of the keycloak user.


oio_bpp (available context)

Optional. Base 64 encode PrivilegeList xml document


practitioner_upn (available context)

Optional. An unique identifier of a Practitioner. Maps to a FHIR Practitioner resource. 


practitioner_name (available context)

Optianal. The name of the pratitioner. Sets the name of the FHIR Practitioner.


practitioner_email (available context)

Optional. The email of the practitioner.


practitioner_authcode

Optional. The authorization code of the practitioner, e. g. "FUT01"

1.8.8

practitioner_cpr

Optional. The CPR of the practitioner.

1.8.8

user_type

Optional. The user type. "SSL"  or "PRACTITIONER" (default)

1.7.8

care_team_id (context)

Optional. A valid absolute FHIR URI pointing to a Careteam resource. This adds implicit organization context given the organization constraint in the OIO BPP structure


organization_id (context)

Optional. A valid absolute FHIR URI pointing to an Organization resource


episode_of_care_id (context)

Optional. This adds implicit patient context. A valid absolute FHIR URI pointing to an Episode of Care resource


patient_id (context)

Optional. A valid absolute FHIR URI pointing to a Patient resource

...


Example of PrivilegeList

...

Code Block
languagexml
<?xml version="1.0"?>
<PrivilegeList xmlns="http://itst.dk/oiosaml/basic_privilege_profile">
  <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
    <Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
    <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
    <Privilege>urn:dk:sundhed:ehealth:healthcarerole:futTreatmentResponsiblemonitoring_0_3<assistor</Privilege>
    <Privilege>urn:dk:sundhed:ehealth:healthcarerole:futMonitoringResponsiblecitizen_0_3<enroller</Privilege>
  </PrivilegeGroup>
  <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
    ...
  </PrivilegeGroup>
</PrivilegeList>

Contents of a PrivilegeList

A PrivilegeList must contain at least one PrivilegeGroup with Scope = "urn:dk:gov:saml:cvrNumberIdentifier:<some number>".Each PrivilegeGroup must contain either a constraint with Name

A PrivilegeGroup has the following elements:

  • Exactly one Constraint specifying an organization identifier (see Organization Constraints)

  • At most one Constraint specifying a care team identifier (see Care Team Constraints)

  • At least one Privilege element

Organization Constraints

An organization constraint identifies an Organization resource by an external identifier and type.

There are three types of organizations:

  1. SOR organizations: 

    • Identified by Constraints with Name attribute = "urn:dk:gov:saml:sorIdentifier"

...

    • and value = {sor-id}

    • Refers to Fhir Organization with Identifier.system = "urn:

...

    • oid:1.2.208.176.1.1" and Identifier.value = {sor-id}

    • Example:

      • Constraint:

        • <Constraint Name="urn:dk:gov:saml:sorIdentifier"

...

        • >950531000016003</Constraint>

      • Refers to Organization with: 

        • "Identifier": [{"system": "urn:oid:1.2.208.176.1.1", "

...

        • value

...

        • ": "

...

        • 950531000016003"}]

  1. STS organizations

    • Identified by Constraints with Name attribute = "urn:dk:kombit:orgUnit"

...

    •  and value =

...

    •  {sts-id}

    • Refers to Fhir Organization

...

    • with

...

    • Identifier.system = "https://www.kombit.dk/sts/organisation" and Identifier.value =

...

    •  {sts-id}

    • Example:

      • Constraint:

        • <Constraint Name="urn:dk:kombit:orgUnit">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

      • Refers to Organization with: 

        • "Identifier": [{"system": "https://www.kombit.dk/sts/organisation", "value": "eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4"}]

  1. SSL organizations

    • Identified by Constraints with Name attribute =  "urn:dk:sundhed:ehealth:

...

    • sslOrg"

    • Refers to Fhir Organization with Identifier.system = "http://ehealth.sundhed.dk/organization/ssl" and Identifier.value = {ssl-id}

    • Example:

      • Constraint:

        • <Constraint Name="urn:dk:sundhed:ehealth:sslOrg">aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

      • Refers to Organization with: 

        • "Identifier": [{"system": "http://ehealth.sundhed.dk/organization/ssl", "value": "aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4"}]

Care Team Constraints

A care team constraint identifies a CareTeam resource by an external identifier.

Care team constraints always have Name attribute = "urn:dk:sundhed:ehealth:careteam" and value = "C" refers to a Fhir CareTeam resource with an identifer with system = .

A care team constraint with value = {careteam-id} refers to Fhir CareTeam with Identifier.system =  "urn:ietf:rfc:3986" and Identifier.value = "C".

Each PrivilegeGroup must contain at least one Privilege.

Allowed privileges:

...

 {careteam-id}

Example:

  • Constraint: 

    • <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

  • Refers to CareTeam with: 

    • "Identifier": [{"system": "urn:ietf:rfc:3986", "value": "cccccccc-b760-11e9-a2a3-2a2ae2dbcce4"}]

Privileges

Allowed privileges, see Token Based Security#Privilege-Roles.