An update to the SMART client

Just a quick note the say that I’ve made a couple of changes to the SMART client we discussed in a previous post.

There’s now an option to start the login process in a separate tab. This is needed because a number of sites I’ve been testing won’t let the login page open in an iFrame (it’s a security thing). When you configure the server, select the ‘separate tab’ option under ‘Where to open Browser’ at the bottom of the first page.

When you login, you’ll need to click a button on the right after the CapabilityStatement has been retrieved (another security thing) and a new tab will open where the login page will be displayed. In chrome at least, the tab will be immediately displayed. You can still click back to the original tab to view the progress messages.

Screen Shot 2018-12-13 at 8.41.56 AM

You can also request a refresh token. We’re going to talk more about refresh tokens when we discuss the details of the app, but briefly if your app is a confidential one (can protect a secret) then when it originally authenticates it can request an refresh token (using a couple of scopes – offline_access & online_access – details here).

This is useful as an access token has a limited life span – it typically expires after an hour. If you have a refresh token then you can use it to get another access token without the user needing to get involved. Otherwise, they would need to re-authenticate.

I’ve not implemented an automatic refresh, but the query page now displays the expiry of the access token (and has a countdown) along with a link to perform the refresh. In a commercial app you’d likely trap the ‘access denied’ after the access token expires and perform this without the user knowing anything.

Screen Shot 2018-12-13 at 8.46.06 AM

BTW note that in the screenshot above neither online_access nor offline_access were included in the scope. This shows nicely that a server doesn’t have to accept the scopes in the original request – it’s a negotiation. In this case, the SMART server includes the refresh token automatically – so the Renew link is displayed.

I also added an option to add the SMART endpoints directly to the config rather then retrieving this from the CapabilityStatement. Useful if the server implements OAuth2, but not fully SMART.

About David Hay
I'm an independent contractor working with a number of Organizations in the health IT space. I'm an HL7 Fellow, Chair Emeritus of HL7 New Zealand and a co-chair of the FHIR Management Group. I have a keen interest in health IT, especially health interoperability with HL7 and the FHIR standard. I'm the author of a FHIR training and design tool - clinFHIR - which is sponsored by InterSystems Ltd.

Leave a Reply