| Table of Contents |
|---|
| Excerpt |
|---|
Description of how to mock context. |
Setting the available context
In order to set the available context, the AS can be requested with a base64 encoded PrivilegeList xml XML document. This is enabled on a special test client with the id "oio_mock".
Mocking context supports acces access token requests using either a refresh token or username/password.
Pararmeter name | Description | Since |
|---|
version | ||
|---|---|---|
client_id | Required. The OAuth2 client id | |
grant_type | Required. Value ‘refresh_token’ or 'password' | |
refresh_token (grant_type = refresh_token ) | Required. The refresh token of the current session | |
username (grant_type = password) | Required. The username of a keycloak user. | |
password (grant_type = password) | Required. The password of the keycloak user. | |
oio_bpp (available context) | Optional. Base 64 encode PrivilegeList xml document | |
practitioner_upn (available context) | Optional. An unique identifier of a Practitioner. Maps to a FHIR Practitioner resource. | |
practitioner_name (available context) | Optianal. The name of the pratitioner. Sets the name of the FHIR Practitioner. | |
practitioner_email (available context) | Optional. The email of the practitioner. | |
practitioner_authcode | Optional. The authorization code of the practitioner, e. g. "FUT01" | 1.8.8 |
practitioner_cpr | Optional. The CPR of the practitioner. | 1.8.8 |
user_type | Optional. The user type. "SSL" or "PRACTITIONER" (default) | 1.7.8 |
care_team_id (context) | Optional. A valid absolute FHIR URI pointing to a Careteam resource. This adds implicit organization context given the organization constraint in the OIO BPP structure | |
organization_id (context) | Optional. A valid absolute FHIR URI pointing to an Organization resource | |
episode_of_care_id (context) | Optional. This adds implicit patient context. A valid absolute FHIR URI pointing to an Episode of Care resource | |
patient_id (context) | Optional. A valid absolute FHIR URI pointing to a Patient resource |
...
Example of PrivilegeList
...
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0"?>
<PrivilegeList xmlns="http://itst.dk/oiosaml/basic_privilege_profile">
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
<Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
<Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
<Privilege>urn:dk:sundhed:ehealth:healthcarerole:futTreatmentResponsiblemonitoring_0_3<assistor</Privilege>
<Privilege>urn:dk:sundhed:ehealth:healthcarerole:futMonitoringResponsiblecitizen_0_3<enroller</Privilege>
</PrivilegeGroup>
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
...
</PrivilegeGroup>
</PrivilegeList> |
Contents of a PrivilegeList
A PrivilegeList must contain at least one PrivilegeGroup with Scope = "urn:dk:gov:saml:cvrNumberIdentifier:<some number>".Each PrivilegeGroup must contain either a constraint with Name
A PrivilegeGroup has the following elements:
Exactly one Constraint specifying an organization identifier (see Organization Constraints)
At most one Constraint specifying a care team identifier (see Care Team Constraints)
At least one Privilege element
Organization Constraints
An organization constraint identifies an Organization resource by an external identifier and type.
There are three types of organizations:
SOR organizations:
Identified by Constraints with Name attribute = "urn:dk:gov:saml:sorIdentifier"
...
and value = {sor-id}
Refers to Fhir Organization with Identifier.system = "urn:
...
oid:1.2.208.176.1.1" and Identifier.value = {sor-id}
Example:
Constraint:
<Constraint Name="urn:dk:gov:saml:sorIdentifier"
...
>950531000016003</Constraint>
Refers to Organization with:
"Identifier": [{"system": "urn:oid:1.2.208.176.1.1"
...
, "value
...
": "
...
950531000016003"}]
STS organizations
Identified by Constraints with Name attribute = "urn:dk:kombit:orgUnit"
...
and value =
...
{sts-id}
Refers to Fhir Organization
...
with
...
Identifier.system = "https://www.kombit.dk/sts/organisation" and Identifier.value =
...
{sts-id}
Example:
Constraint:
<Constraint Name="urn:dk:kombit:orgUnit">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to Organization with:
"Identifier": [{"system": "https://www.kombit.dk/sts/organisation", "value": "eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4"}]
SSL organizations
Identified by Constraints with Name attribute = "urn:dk:sundhed:ehealth:sslOrg"
Refers to Fhir Organization with Identifier.system = "http://ehealth.sundhed.dk/organization/ssl" and Identifier.value = {ssl-id}
Example:
Constraint:
<Constraint Name="urn:dk:sundhed:ehealth
...
:sslOrg">aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to Organization with:
"Identifier": [{"system": "http://ehealth.sundhed.dk/organization/ssl", "value": "aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4"}]
Care Team Constraints
A care team constraint identifies a CareTeam resource by an external identifier.
Care team constraints always have Name attribute = "urn:dk:sundhed:ehealth:careteam" and value = "C" refers to a Fhir CareTeam resource with an identifer with system = .
A care team constraint with value = {careteam-id} refers to Fhir CareTeam with Identifier.system = "urn:ietf:rfc:3986" and Identifier.value = "C".
Each PrivilegeGroup must contain at least one Privilege.
Allowed privileges:
{careteam-id}
Example:
Constraint:
<Constraint Name="urn:dk:
- urn:dk:healthcare:futMonitoringResponsible_0_3
- urn:dk:healthcare:futMonitoringDelegate_0_3
- urn:dk:healthcare:futClinicalContentDefiner_0_3
- urn:dk:healthcare:futRequestEffectuator_0_3
sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to CareTeam with:
"Identifier": [{"system": "urn:ietf:rfc:3986", "value": "cccccccc-b760-11e9-a2a3-2a2ae2dbcce4"}]
Privileges
Allowed privileges, see Token Based Security#Privilege-Roles.