# Dynamic Registration

Although many FHIR servers don't yet support it, SMART on FHIR [recommends that implementers allow OAuth2-based dynamic registration][dynamic-recommendation] of client applications.
The general idea is that patient-directed FHIR apps would be able to register automatically for access to new FHIR servers with nothing more than the metadata URI.

Not everyone implements this yet, of course, but the SmartHealthIT sandboxes do, so that's what we'll use here. And that means that we can do everything right here in the notebook.

[dynamic-recommendation]: http://docs.smarthealthit.org/authorization/backend-services/

The first thing we'll need to do is get the service root. For this tutorial, we'll hard-code that:

In [1]:
SMART_SERVICE_ROOT = 'https://sb-fhir-dstu2.smarthealthit.org/smartdstu2/data'

Now, we'll need to create a **manifest** describing our client's metadata:

In [2]:
MANIFEST = {
    "software_id": "com.ehtcares:fhirstorm:1.0",
    "client_name": "FHIRstorm auto-register text",
    "launch_url": "http://localhost:8000/launch",
    "redirect_uris": [
        "http://localhost:8000/callback"
    ],
    "scope": "launch launch/patient openid profile patient/*.read",
    "token_endpoint_auth_method": "client_secret_basic",
    "grant_types": [
        "authorization_code", "refresh_token",
    ],
    "response_types": [
        "code",
    ],
    "fhir_versions": [
        "1.0.2",
        "1.1.0",
        "1.4.0",
        "1.6.0",
        "1.8.0",
        "3.0.1",
    ]
}

Note that, even though we don't need a webserver to perform dynamic *registration*, we will need one to obtain an *access_token*, so we need to provide the `launch_url` and `redirect_uris` here in the manifest.

Now that we've defined all that, we need to get our registration endpoint from the FHIR server:

In [3]:
from fhirstorm import Connection 

conn = Connection(SMART_SERVICE_ROOT)
svc = conn.service()
uris = svc.security.oauth2_uris
reg_uri = uris.register
reg_uri

'https://sb-auth.smarthealthit.org/register'

Finally, to register our app, we'll need to `POST` our client metadata to the registration endpoint:

In [4]:
import json
import requests
resp = requests.post(
    reg_uri, data=json.dumps(MANIFEST),
    headers={'Content-Type': 'application/json'})
registration = resp.json()
registration

{'client_id': '5dc0e9a9-7336-4469-ab0f-e3a4999a3d9b',
 'client_id_issued_at': 1512857407,
 'client_name': 'FHIRstorm auto-register text',
 'client_secret': 'IBe20729TGldb2M3Jmq47S6vsXMyXTiydJiOD3CjiyB2mgtyOri-qpuJPWcWrs9JkDvOlrV7HP2rKPsmyvxlwQ',
 'client_secret_expires_at': 0,
 'grant_types': ['refresh_token', 'authorization_code'],
 'redirect_uris': ['http://localhost:8000/callback'],
 'registration_access_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiI1ZGMwZTlhOS03MzM2LTQ0NjktYWIwZi1lM2E0OTk5YTNkOWIiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyODU3NDA3LCJqdGkiOiJiNzA1Mjk3Ny0wYjM3LTQ1YTAtYjdmOC00MjdjYzMxYTNkOTAifQ.X0thclFFcQIa4G9kOwE6bdoKOdECA1ITXYTEwq87eKv-ALI6NMjvg7rsDE280j6oTUy6dGY0KW4ABKlkigDURtzre8n2k560moiqfjrrerFMMOzqUKSPNQehlJ3EMt--UU3rzsS7mv74grxn2WhGAoTLbaVphfI2DqaZxrgImqp3V6PaAdU3shVh1JHY3NjTT6WUSTxh-oh9KZgrn6eSBsU7bOS9KakdeHzZUrxGlhBNW8W7t-XeyIjOJZaWg11FDUuYZtTEVZzdUjkKB_dWzv0IbvsCNH0ajXDVs46KTciCoRJwTKAOdexkSmyykCy572U_I99-i1Gy8D

And... well, that's it to registering the client. We can use the given `client_id` and `client_secret` to initiate the authorization code flow, and do everything as when we "manually" registered our client.

# Updating our registration

So what happens if we want to update (or delete) our client registration? Well, that's what the `registration_access_token` and `registration_client_uri` are for.  
For instance, what if we wanted to change our client from _confidential_ to _public_ (getting rid of the `client_secret`?)

First, let's go ahead and fetch the registration as it exists currently. 
We'll also set up a `requests.Session` so we don't have to keep repeating ourselves in the headers we send.

In [15]:
sess = requests.Session()
sess.headers['Authorization'] = f'Bearer {registration["registration_access_token"]}'
sess.headers['Content-Type'] = 'application/json'
sess.headers['Accept'] = 'application/json'
resp = sess.get(registration['registration_client_uri'])
resp

<Response [200]>

In [9]:
reg = resp.json()
reg

{'client_id': '5dc0e9a9-7336-4469-ab0f-e3a4999a3d9b',
 'client_id_issued_at': 1512857407,
 'client_name': 'FHIRstorm auto-register text',
 'client_secret': 'IBe20729TGldb2M3Jmq47S6vsXMyXTiydJiOD3CjiyB2mgtyOri-qpuJPWcWrs9JkDvOlrV7HP2rKPsmyvxlwQ',
 'client_secret_expires_at': 0,
 'grant_types': ['refresh_token', 'authorization_code'],
 'redirect_uris': ['http://localhost:8000/callback'],
 'registration_access_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiI1ZGMwZTlhOS03MzM2LTQ0NjktYWIwZi1lM2E0OTk5YTNkOWIiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyODU3NDA3LCJqdGkiOiJiNzA1Mjk3Ny0wYjM3LTQ1YTAtYjdmOC00MjdjYzMxYTNkOTAifQ.X0thclFFcQIa4G9kOwE6bdoKOdECA1ITXYTEwq87eKv-ALI6NMjvg7rsDE280j6oTUy6dGY0KW4ABKlkigDURtzre8n2k560moiqfjrrerFMMOzqUKSPNQehlJ3EMt--UU3rzsS7mv74grxn2WhGAoTLbaVphfI2DqaZxrgImqp3V6PaAdU3shVh1JHY3NjTT6WUSTxh-oh9KZgrn6eSBsU7bOS9KakdeHzZUrxGlhBNW8W7t-XeyIjOJZaWg11FDUuYZtTEVZzdUjkKB_dWzv0IbvsCNH0ajXDVs46KTciCoRJwTKAOdexkSmyykCy572U_I99-i1Gy8D

Now, we can change the `token_endpoint_auth_method` from `'client_secret_basic'` to `'none'`, turning our client into a public client (no more `client_secret`). 
Once that's done, `POST` the updated registration to the existing `registration_client_uri`:

In [16]:
reg['token_endpoint_auth_method'] = 'none'
resp = sess.put(reg['registration_client_uri'], data=json.dumps(reg))
resp

<Response [200]>

In [17]:
reg = resp.json()
reg

{'client_id': '5dc0e9a9-7336-4469-ab0f-e3a4999a3d9b',
 'client_id_issued_at': 1512857407,
 'client_name': 'FHIRstorm auto-register text',
 'grant_types': ['refresh_token', 'authorization_code'],
 'redirect_uris': ['http://localhost:8000/callback'],
 'registration_access_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiI1ZGMwZTlhOS03MzM2LTQ0NjktYWIwZi1lM2E0OTk5YTNkOWIiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyODU3NDA3LCJqdGkiOiJiNzA1Mjk3Ny0wYjM3LTQ1YTAtYjdmOC00MjdjYzMxYTNkOTAifQ.X0thclFFcQIa4G9kOwE6bdoKOdECA1ITXYTEwq87eKv-ALI6NMjvg7rsDE280j6oTUy6dGY0KW4ABKlkigDURtzre8n2k560moiqfjrrerFMMOzqUKSPNQehlJ3EMt--UU3rzsS7mv74grxn2WhGAoTLbaVphfI2DqaZxrgImqp3V6PaAdU3shVh1JHY3NjTT6WUSTxh-oh9KZgrn6eSBsU7bOS9KakdeHzZUrxGlhBNW8W7t-XeyIjOJZaWg11FDUuYZtTEVZzdUjkKB_dWzv0IbvsCNH0ajXDVs46KTciCoRJwTKAOdexkSmyykCy572U_I99-i1Gy8DuVEsSR8A',
 'registration_client_uri': 'https://sb-auth.smarthealthit.org/register/5dc0e9a9-7336-4469-ab0f-e3a4999a3d9b',
 'response_types':

And there you go -- no more `client_secret`. 
(We can change other fields in the registration as well.)

If you want to delete your dynamically registered client, you can just send a `DELETE` request to the same endpoint:

In [18]:
resp = sess.delete(reg['registration_client_uri'])
resp


<Response [204]>

And just to ensure that it's really gone....

In [19]:
resp = sess.get(registration['registration_client_uri'])
resp

<Response [401]>

Yeah, it's gone (and our token is gone, too, so it says we're unauthorized.)