**Note**: This tutorial explains how to register a 'confidential' app. Many FHIR servers don't support "confidential" apps (those which can protect a client_secret), so you may be stuck doing things the public way for a while.

# Register the client

We're going to be using the [SmartHealthIT][smarthealthit] Sandboxes, so we need to go to the [sandbox][sb] and register a new client there, clicking 'Register Manually', and filling in the boxes:

- App Type: Confidential Client
- App Name: FHIRstorm test
- App Launch URI: http://localhost:8000/launch
- App Redirect URIs: http://localhost:8000/callback
- Allow Offline Access: (checked)
- Patient Scoped App: (checked)
- App logo: (skip it for now)

Register it, and then save the client ID and secret that it gives you to a configuration file. 
The one we'll here is saved in example/auth-tutorial/config.py

[smarthealthit]: http://docs.smarthealthit.org/
[sb]: https://sandbox.smarthealthit.org/smartdstu2/#/manage-apps

In [1]:
# %load ../example/auth-tutorial/config.py
SMART_CLIENT_ID = '9644d85e-07f0-4962-a78b-ab1bfe39c6d8'
SMART_CLIENT_SECRET = 'APOO8c_OjK4DrcwoTYp82KUv2LrRvD_hlVinoZzqoxO5EPUZhprbb4azfXp8qTdMFxdviSQIKr7SMswVpR4SSVc'
SMART_SERVICE_ROOT = 'https://sb-fhir-dstu2.smarthealthit.org/smartdstu2/data'
SMART_SCOPE = 'openid profile offline_access patient/*.*'
JWT_SECRET = 'itsaseekrit'


To actually handle the redirect and such, we'll need to have a (minimal) web server. There's a basic one in example/auth-tutorial/app.py

Let's walk through that file step by step:

In [2]:
# %load -r 1-7 ../example/auth-tutorial/app.py
import os
from flask import Flask, request, redirect, jsonify, url_for, abort
from fhirstorm import Connection, auth

os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = 'true'
app = Flask(__name__)
app.config.from_pyfile('../example/auth-tutorial/config.py')

True

Here, we have the imports and global variables we'll need. 

In particular, we have
- `os` to give us `os.environ`, which lets us tell the Python oauth library that it's OK for us to use insecure (http) redirect urls (they're localhost urls anyway, so they're pretty secure...)
- From `flask` we import a number of names to help us with our app (more on those when we use them)
- `Connection` and `auth` is what we need from `fhirstorm` to let us connect to the server
- `app` is the Flask application 

Next, we have the actual web routes we'll be handling.

For this tutorial, we'll need to handle 3 paths:

- `/launch` will handle cases where the FHIR server initiates a session with *us* (the so-called 'launch profile')
- `/callback` will handle the callback from the FHIR server with an authorization **code** (that we'll exchange for a **access_token**

# SMART "launch sequences"

There are two ways that your app might be started: either from the FHIR server (via an EHR interface or patient portal), or 'standalone' (the user starts at your app and doesn't have to log into a patient portal before using your app).
We'll refer to these as the **EHR launch sequence** and the **Standalone launch sequence** below.

The general idea is as follows:

1. [launch only] The EHR user chooses to launch your app 
1. [launch only] The EHR redirects the user to your "App launch URI"
1. [both] Your app redirects the user to the EHR's `authorization_uri`
1. [both] The EHR user confirms that access is authorized
1. [both] The EHR redirects the user back to your "App redirect URI" with an authorization `code`
1. [both] Your app (not involving the user) exchanges the `code` for an `access_token` via a `POST` request
1. [both] Your app uses the `access_token` for subsequent calls

In the **EHR launch sequence**, everything starts at step 1. In the **Standalone launch sequence**, everything 
starts in step 3. Otherwise they're basically the same

## Handling the EHR launch sequence

Our `/launch` route's purpose is just to send a specially-crafted redirect _back_ to the FHIR server. 
This URL (which we configured earlier as the 'App Launch URI') is invoked via a GET request by the FHIR server with two parameters: `iss` and `launch`:

- `iss` is a reference to the service root used by the server. That way your app can be configured to work with a number of different EHRs, all hitting the same `/launch` URI
- `launch` is an opaque string containing a value that you must send _back_ to the FHIR server with the authorization redirect. 

In the code below, we:

- inspect the `iss` argument (to make sure we recognize the server),
- grab the `service` object from a FHIRstorm `Connection` back to the FHIR server,
- generate a `state` parameter that will let us verify the callback we receive later,
- use FHIRstorm's `auth.authorization_url` function to obtain a URL that we'll redirect the user to, and 
- finally, actually perform the redirect

In [3]:
# %load -s launch ../example/auth-tutorial/app.py
@app.route('/launch')
def launch():
    iss = request.args['iss']
    if iss != app.config['SMART_SERVICE_ROOT']:
        abort(403)
    launch = request.args.get('launch', None)
    conn = Connection(iss)
    service = conn.service()

    state = auth.jwt_state(app.config['JWT_SECRET'])

    authorization_url, state = auth.authorization_url(
        service,
        client_id=app.config['SMART_CLIENT_ID'],
        client_secret=app.config['SMART_CLIENT_SECRET'],
        redirect_uri=url_for('callback', _external=True),
        scope=app.config['SMART_SCOPE'],
        state=state,
        aud=iss,
        launch=launch)
    return redirect(authorization_url)


## Handling the callback (used for both EHR launch and standalone launch)

After the user verifies that access is granted, the EHR will redirect the user to your "App redirect URI" (which we specified both at app registration time _and_ in the construction of our `authorization_url`. 

In the code below, we:

- get a `Connection` and `service` objects from FHIRstorm again, 
- use the `service` and the `auth.fetch_token` to exchange our authorization code (which is embedded in `request.url`
- save the token in a global variable (just for this tutorial; normally we'd store it in a database)

In [4]:
# %load -s callback ../example/auth-tutorial/app.py
@app.route('/callback')
def callback():
    global ACCESS_TOKEN
    conn = Connection(app.config['SMART_SERVICE_ROOT'])
    service = conn.service()
    token = auth.fetch_token(
        service,
        client_id=app.config['SMART_CLIENT_ID'],
        client_secret=app.config['SMART_CLIENT_SECRET'],
        redirect_uri=url_for('callback', _external=True),
        authorization_response=request.url,
        state_validator=auth.jwt_state_validator(
            app.config['JWT_SECRET'],
            iss=app.config['SMART_SERVICE_ROOT']))
    print(token)
    ACCESS_TOKEN = token
    return jsonify(token)


# Testing out the EHR launch sequence

Now that we have the Flask application designed, we can go ahead and run it for a couple of requests (one to handle the `/launch` request and one to handle the `/callback`. 

If you want to do this on your own, you can either run the Flask app standalone as follows:

```bash
FLASK_APP=example/auth-tutorial/app.py python -m flask run
```

Or you can run the code interactive to handle a couple of requests as shown in the following cell.

Either way, once you have the server listening for connections, you'll need to return to the sandbox and launch your app from there. 

In [5]:
from wsgiref.simple_server import make_server

with make_server('', 8000, app) as httpd:
    httpd.handle_request()
    httpd.handle_request()

127.0.0.1 - - [08/Dec/2017 13:40:46] "GET /launch?iss=https%3A%2F%2Fsb-fhir-dstu2.smarthealthit.org%2Fsmartdstu2%2Fdata&launch=NiF4U4 HTTP/1.1" 302 1293


{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNzU4NDQ3LCJqdGkiOiI1MzExMmRmZC1iODFjLTQ0ZGItOTNiYi04OTJkMTE1YTQ1MTYifQ.kKS3uLOjC6Cypi4KNF-QHB9JNkld89sG4XTHNs-ZB7RVyjX1XrzTv8r_M0MlXnc8pjuywTnIjSQfolzQd28mHF3hRAxgtIRGhjupu9tIPbNQxvOyY57r9SxofsMdGWIWZhhOyoQbbUXw4wy3a5EjB3ID2wPMgtXVq_wRxgJ6AoaT_rC25W6isFpmf1NHKNxMEOdvMbURhqSGQ1xECApUYuj6ZuaxFM8-9jWp6sfKnbtp88OhzQnabFCkdW1p4OUUmiQb2N-1Xltt8CwRw2RivybU1GZPTBOz_R7P_HSGO1E5EEJxG9kt28Q9UjyQ1BqOgEjWO6dqcBDVEPX4MXv9OA', 'token_type': 'Bearer', 'refresh_token': 'eyJhbGciOiJub25lIn0.eyJleHAiOjE1MTI3NTg0NDcsImp0aSI6IjQ0MzQ5MWNhLWI1M2UtNDdiOS1hODc0LTQyN2FhYzYzZTBkZiJ9.', 'scope': ['launch', 'openid', 'patient/*.*', 'offline_access', 'profile'], 'patient': '783a1f02-5bf9-41c9-90d0-c2c4d35d3ec3', 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Y

127.0.0.1 - - [08/Dec/2017 13:40:47] "GET /callback?code=82y7d1&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MTI3NTg3NDZ9.czDdhVCJPLTuuFBPolT2D-43FRkC9PAOojHxm0R-quw HTTP/1.1" 200 1666


At this point, we have an `access_token` which we should save (but in this tutorial we're just keeping it in the `ACCESS_TOKEN` variable:

In [6]:
ACCESS_TOKEN

{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNzU4NDQ3LCJqdGkiOiI1MzExMmRmZC1iODFjLTQ0ZGItOTNiYi04OTJkMTE1YTQ1MTYifQ.kKS3uLOjC6Cypi4KNF-QHB9JNkld89sG4XTHNs-ZB7RVyjX1XrzTv8r_M0MlXnc8pjuywTnIjSQfolzQd28mHF3hRAxgtIRGhjupu9tIPbNQxvOyY57r9SxofsMdGWIWZhhOyoQbbUXw4wy3a5EjB3ID2wPMgtXVq_wRxgJ6AoaT_rC25W6isFpmf1NHKNxMEOdvMbURhqSGQ1xECApUYuj6ZuaxFM8-9jWp6sfKnbtp88OhzQnabFCkdW1p4OUUmiQb2N-1Xltt8CwRw2RivybU1GZPTBOz_R7P_HSGO1E5EEJxG9kt28Q9UjyQ1BqOgEjWO6dqcBDVEPX4MXv9OA',
 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJkaXNwbGF5TmFtZSI6IkpvaG4gU21pdGgiLCJwcm9maWxlIjoiUHJhY3RpdGlvbmVyXC9TTUFSVC0xMjM0Iiwia2lkIjoicnNhMSIsImlzcyI6Imh0dHBzOlwvXC9zYi1hdXRoLnNtYXJ0aGVhbHRoaXQub3JnXC8iLCJleHAiOjE1MTI3NTkwNDcsImlhdCI6MTUxMjc1ODQ0NywiZW1haWwiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIifQ.o

# Testing out the standalone launch sequence

We can also test out the standalone launch sequence. 
First, we'll need to create the authorization URL:

In [7]:
conn = Connection(SMART_SERVICE_ROOT)
service = conn.service()
state = auth.jwt_state(app.config['JWT_SECRET'])
scope = 'launch launch/patient ' + SMART_SCOPE
authorization_url, state = auth.authorization_url(
    service,
    client_id=SMART_CLIENT_ID,
    client_secret=SMART_CLIENT_SECRET,
    redirect_uri='http://localhost:8000/callback',
    scope=scope,
    state=state,
    aud=SMART_SERVICE_ROOT)

In [8]:
scope

'launch launch/patient openid profile offline_access patient/*.*'

Things to notice in the above code:

- we added the `launch/patient` scope to tell the FHIR server we want a "patient context" to be selected for us
- we don't need to pass the `aud` and `launch` parameters this time.

To actually perform the authorization, we can visit the authorization URL while running our little server for one request:

In [9]:
authorization_url

'https://sb-auth.smarthealthit.org/authorize?response_type=code&client_id=9644d85e-07f0-4962-a78b-ab1bfe39c6d8&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&scope=launch+launch%2Fpatient+openid+profile+offline_access+patient%2F%2A.%2A&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MTI3NTg3NDh9.Y-1APqF7Zax3Y_YH9tyxZTC8eOMtIfjCfjOLXjjK0Qo&client_secret=APOO8c_OjK4DrcwoTYp82KUv2LrRvD_hlVinoZzqoxO5EPUZhprbb4azfXp8qTdMFxdviSQIKr7SMswVpR4SSVc&aud=https%3A%2F%2Fsb-fhir-dstu2.smarthealthit.org%2Fsmartdstu2%2Fdata'

In [10]:
import webbrowser
webbrowser.open_new_tab(authorization_url)

with make_server('', 8000, app) as httpd:
    httpd.handle_request()

{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNzU4NDUzLCJqdGkiOiI4MzIxNzM5NC02MDZmLTQ0YTItYTliNy05ZjAyMWZiZGU5YmUifQ.DGQRpURYJnzt596ip5ThKrDaXiE8dHsllJgSaLkBXXVPHNv7k2mL3Yjf4U1zQVck260MMDfKkNNABfUWLswpzJbCuCsfz3kvVV65_AT8m_RfektKqTauVQXb-md1A1lqmTImvUW10AYhvaEvJTH5HYP8zeV1mubYqvkkt249sdsyxxIP5VzuVg5z9LmX_mTywLecw3Y6Lgl4AmdL3jn6TQMaQXM_HCQ6xEoYGPiuxH2uOvpeX2AtbCkcGJJ5GO0XBfvgSn8hgA0th4j82oI1E1W0vB7NSk2Rbg-KDpH2OFhfVsstdrUGM7eOZeBy8QOs5MLllUjSQxsPdtbTnCjmtw', 'token_type': 'Bearer', 'refresh_token': 'eyJhbGciOiJub25lIn0.eyJleHAiOjE1MTI3NTg0NTMsImp0aSI6Ijk5MjRmOGMxLTJkMWItNGU0MC04M2UwLTA4ZTJmNWViODlkYyJ9.', 'scope': ['launch', 'openid', 'patient/*.*', 'offline_access', 'profile'], 'patient': '783a1f02-5bf9-41c9-90d0-c2c4d35d3ec3', 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Y

127.0.0.1 - - [08/Dec/2017 13:40:53] "GET /callback?code=e2gAXY&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MTI3NTg3NDh9.Y-1APqF7Zax3Y_YH9tyxZTC8eOMtIfjCfjOLXjjK0Qo HTTP/1.1" 200 1666


In [11]:
ACCESS_TOKEN

{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNzU4NDUzLCJqdGkiOiI4MzIxNzM5NC02MDZmLTQ0YTItYTliNy05ZjAyMWZiZGU5YmUifQ.DGQRpURYJnzt596ip5ThKrDaXiE8dHsllJgSaLkBXXVPHNv7k2mL3Yjf4U1zQVck260MMDfKkNNABfUWLswpzJbCuCsfz3kvVV65_AT8m_RfektKqTauVQXb-md1A1lqmTImvUW10AYhvaEvJTH5HYP8zeV1mubYqvkkt249sdsyxxIP5VzuVg5z9LmX_mTywLecw3Y6Lgl4AmdL3jn6TQMaQXM_HCQ6xEoYGPiuxH2uOvpeX2AtbCkcGJJ5GO0XBfvgSn8hgA0th4j82oI1E1W0vB7NSk2Rbg-KDpH2OFhfVsstdrUGM7eOZeBy8QOs5MLllUjSQxsPdtbTnCjmtw',
 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJkaXNwbGF5TmFtZSI6IkpvaG4gU21pdGgiLCJwcm9maWxlIjoiUHJhY3RpdGlvbmVyXC9TTUFSVC0xMjM0Iiwia2lkIjoicnNhMSIsImlzcyI6Imh0dHBzOlwvXC9zYi1hdXRoLnNtYXJ0aGVhbHRoaXQub3JnXC8iLCJleHAiOjE1MTI3NTkwNTMsImlhdCI6MTUxMjc1ODQ1MywiZW1haWwiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIifQ.T

# Accessing resources using the access token

Now that we have our access token, we can actually start to use it to get resources. 
There will be more on that in the Resources tutorial, but for now, we'll just fetch the `Patient`:


In [12]:
from requests_oauthlib import OAuth2Session
conn = Connection(
    SMART_SERVICE_ROOT, 
    session=OAuth2Session(token=ACCESS_TOKEN))
svc = conn.service()

In [13]:
conn.get(f'/Patient/{ACCESS_TOKEN["patient"]}')

{'address': [{'city': 'Uxbridge',
   'country': 'US',
   'extension': [{'extension': [{'url': 'latitude',
       'valueDecimal': 42.02795362662574},
      {'url': 'longitude', 'valueDecimal': -71.6354863212389}],
     'url': 'http://hl7.org/fhir/StructureDefinition/geolocation'}],
   'line': ['67835 Jamison Ridge', 'Apt. 141'],
   'postalCode': '01569',
   'state': 'MA'}],
 'birthDate': '1969-02-24',
 'communication': [{'language': {'coding': [{'code': 'en-US',
      'display': 'English (United States)',
      'system': 'http://hl7.org/fhir/ValueSet/languages'}]}}],
 'extension': [{'url': 'http://hl7.org/fhir/us/core/StructureDefinition/us-core-race',
   'valueCodeableConcept': {'coding': [{'code': '2106-3',
      'display': 'White',
      'system': 'http://hl7.org/fhir/v3/Race'}],
    'text': 'race'}},
  {'url': 'http://hl7.org/fhir/us/core/StructureDefinition/us-core-ethnicity',
   'valueCodeableConcept': {'coding': [{'code': '2186-5',
      'display': 'Nonhispanic',
      'system': 

You can also retrive resources by their type (all the advertised resources are available under the `svc.r` attribute:

In [18]:
dir(svc.r)

['Account',
 'AllergyIntolerance',
 'Appointment',
 'AppointmentResponse',
 'AuditEvent',
 'Basic',
 'Binary',
 'BodySite',
 'Bundle',
 'CarePlan',
 'Claim',
 'ClaimResponse',
 'ClinicalImpression',
 'Communication',
 'CommunicationRequest',
 'Composition',
 'ConceptMap',
 'Condition',
 'Conformance',
 'Contract',
 'Coverage',
 'DataElement',
 'DetectedIssue',
 'Device',
 'DeviceComponent',
 'DeviceMetric',
 'DeviceUseRequest',
 'DeviceUseStatement',
 'DiagnosticOrder',
 'DiagnosticReport',
 'DocumentManifest',
 'DocumentReference',
 'EligibilityRequest',
 'EligibilityResponse',
 'Encounter',
 'EnrollmentRequest',
 'EnrollmentResponse',
 'EpisodeOfCare',
 'ExplanationOfBenefit',
 'FamilyMemberHistory',
 'Flag',
 'Goal',
 'Group',
 'HealthcareService',
 'ImagingObjectSelection',
 'ImagingStudy',
 'Immunization',
 'ImmunizationRecommendation',
 'ImplementationGuide',
 'List',
 'Location',
 'Media',
 'Medication',
 'MedicationAdministration',
 'MedicationDispense',
 'MedicationOrder',
 'M

In [17]:
p = svc.r.Patient.fetch(ACCESS_TOKEN['patient'])
p.name

[{'use': 'official', 'family': ['Gaylord'], 'given': ['Barbera'], 'prefix': ['Mrs.']},
 {'use': 'maiden', 'family': ['Abbott'], 'given': ['Barbera']}]