# Register the client

We're going to be using the [SmartHealthIT][smarthealthit] Sandboxes, so we need to go to the [sandbox][sb] and register a new client there, clicking 'Register Manually', and filling in the boxes:

- App Type: Confidential Client
- App Name: FHIRstorm test
- App Launch URI: http://localhost:5000/launch
- App Redirect URIs: http://localhost:5000/redirect
- Allow Offline Access: (checked)
- Patient Scoped App: (checked)
- App logo: (skip it for now)

Register it, and then copy the client ID. 
The one it got is below. 
Also below are a few other values from registration:

[smarthealthit]: http://docs.smarthealthit.org/
[sb]: https://sandbox.smarthealthit.org/smartdstu2/#/manage-apps

In [1]:
REDIRECT_URI = 'http://localhost:5000/redirect'
CLIENT_ID = '9644d85e-07f0-4962-a78b-ab1bfe39c6d8'
SERVICE_ROOT = 'https://sb-fhir-dstu2.smarthealthit.org/smartdstu2/data'

Once you're registered, click on your newly-created app to get the client secret value as well:

In [2]:
CLIENT_SECRET = 'GYEbJSvLr6dLJz5v2Y7XyRaLyBHXbdYAeNjY_48KvHnKL7MQEtg5rnBg9tiYcNT4FAdXgYkcnHH3KSxRr6gNbg'

You might notice that the sandbox has also helpfully filled in some decent scopes for us (we'll use these when requesting our authorization token. 
Let's go ahead and copy them as well. 

In [3]:
SCOPE = 'launch patient/*.* openid profile offline_access'

Let's go ahead and add one more scope so we get a patient browser when we launch our app:

In [4]:
SCOPE += ' launch/patient'

To actually handle the redirect and such, we'll need to have a (minimal) web server. There's a basic one in example/app.py:

In [5]:
!pygmentize ../example/app.py

[34mfrom[39;49;00m [04m[36mflask[39;49;00m [34mimport[39;49;00m Flask, request, redirect
[34mfrom[39;49;00m [04m[36mflask_cors[39;49;00m [34mimport[39;49;00m CORS

[34mfrom[39;49;00m [04m[36mfhirstorm[39;49;00m [34mimport[39;49;00m Connection, auth

app = Flask([31m__name__[39;49;00m)

JWT_SECRET=[33m'[39;49;00m[33mitsaseekrit[39;49;00m[33m'[39;49;00m
REDIRECT_URI=[33m'[39;49;00m[33mhttp://localhost:5000/redirect[39;49;00m[33m'[39;49;00m
CLIENT_ID=[33m'[39;49;00m[33m9644d85e-07f0-4962-a78b-ab1bfe39c6d8[39;49;00m[33m'[39;49;00m
CLIENT_SECRET=[33m'[39;49;00m[33mGYEbJSvLr6dLJz5v2Y7XyRaLyBHXbdYAeNjY_48KvHnKL7MQEtg5rnBg9tiYcNT4FAdXgYkcnHH3KSxRr6gNbg[39;49;00m[33m'[39;49;00m
SCOPE=[33m'[39;49;00m[33mlaunch patient/*.* openid profile offline_access[39;49;00m[33m'[39;49;00m
SCOPE += [33m'[39;49;00m[33m launch/patient[39;49;00m[33m'[39;49;00m


[30;01m@app.route[39;49;00m([33m'[39;49;00m[33m/redirect[39;49;00m[33m'

So go ahead and start that up in a terminal window...

Now, we need to actually connect to the sandbox and authenticate. For that, we'll need a `Connection` object and the `auth` module:

In [6]:
from fhirstorm import Connection, auth

conn = Connection(SERVICE_ROOT)

# Fetch metadata for the services at this endpoint
md = conn.metadata

# Get the first REST service (there's usually just one)
service = md.rest[0]
service

<Bound _RestEndpoint>

## A word about different authentication paths

There are 2 main ways we can authenticate: the _launch_ flow and the _standalone_ flow. 

In the **launch** flow, the EHR or patient portal will initiate a call to our application. 
You can simulate this by clicking the 'Launch' button under your app's settings in the sandbox.

The simpler flow is the **standalone** flow. 
Here, our app will direct the user to the EHR. We'll cover this one first.

### Standalone flow

Now we need to send the user over to the sandbox to authenticate so we can get our authorization code (which we'll exchange for a token. 
Part of this request is us providing a `state` value so we can tell that the callback we receive (containing the authorization code) came from the server we actually sent the redirect to and not some nefarious actor.

The best approach to state is to generate some random text (maybe a UUID or sampling `/dev/urandom`). 
FHIRstorm provides a less-secure but easier approach by using a JSON Web Token. 
This is a little easier because it means we don't have to save the state between when we send the user off to the EHR and when we get the callback.

(The code below will show both approaches)

In [7]:
from uuid import uuid4

# this is the flow using a specific
state = str(uuid4())

authorization_url, state = auth.authorization_url(
    service,
    client_id=CLIENT_ID,
    redirect_uri=REDIRECT_URI,
    scope=SCOPE,
    state=state)
print(authorization_url)

https://sb-auth.smarthealthit.org/authorize?response_type=code&client_id=9644d85e-07f0-4962-a78b-ab1bfe39c6d8&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fredirect&scope=launch+patient%2F%2A.%2A+openid+profile+offline_access+launch%2Fpatient&state=939b0c19-6443-48a7-b7b6-68e1e190aa0f&aud=https%3A%2F%2Fsb-fhir-dstu2.smarthealthit.org%2Fsmartdstu2%2Fdata


Now we'll need to send the user (via a redirect) to the authorization url. 
For now, you can just copy and paste the url into your browser bar.
Once you're there, pick a patient (I picked the first one) and it should present a permission screen.
Grant permission, and the server will redirect you to our webapp where you'll see the authorization response. 
Save it in a variable:

In [8]:
import webbrowser
webbrowser.open_new_tab(authorization_url)

True

In [9]:
authorization_response = input('What was the authorization response?')

What was the authorization response?http://localhost:5000/redirect?code=GPOJVs&state=939b0c19-6443-48a7-b7b6-68e1e190aa0f


There's one more little thing we need to do while testing. 
Python's `oauthlib` likes to make sure we don't expose credentials, so it'll refuse
to work if our redirect uri is not `https://` (even if it *is* `localhost`). 
So let's keep oauthlib from being so *helpful* by setting an environment variable:

In [10]:
import os
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = 'true'

Now we can go ahead and get a (longer-lived) token from the server:

In [11]:
token = auth.fetch_token(
    service,
    client_id=CLIENT_ID,
    redirect_uri=REDIRECT_URI,
    authorization_response=authorization_response,
    client_secret=CLIENT_SECRET,
    state=state)
token

{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNjE2ODE4LCJqdGkiOiIwNzgzMTAyYS0zNmE1LTRlYjItOTc4MC1hM2NkYTcwMTk1YzcifQ.GpAonkN9Nk6jp9sOz35FG0DQn97yDzmwDNqRb_ok7UmkGPQ9Hm67EZgjP4270lmkP0ZTkh7Zcizun3-an0vS2Kbp1zNXt3pnXORs8FS4RZoPVL-JK8ftfbSS1NRpDPkwREzrI1VebolLy1WUWFRS4DIvkkPzos5SwS-yY1cB7fKD3XMZi4ZQOEp0M7OMWVr2_186i9kQwOtxHXvuSzuKkmDO-nMxf6n3MoJ661pRoszS8nyNXElmkX9oVe8IASNJN_SbzKgZ4GRWhDd8qeN2DE7d8AE4mRUjsUD7bq2r9Pl6stWNP3kRRetmbC_PuXde-CKgLh1USRivAZRF6IlJXw',
 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJkaXNwbGF5TmFtZSI6IkpvaG4gU21pdGgiLCJwcm9maWxlIjoiUHJhY3RpdGlvbmVyXC9TTUFSVC0xMjM0Iiwia2lkIjoicnNhMSIsImlzcyI6Imh0dHBzOlwvXC9zYi1hdXRoLnNtYXJ0aGVhbHRoaXQub3JnXC8iLCJleHAiOjE1MTI2MTc0MTgsImlhdCI6MTUxMjYxNjgxOCwiZW1haWwiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIifQ.l

If we'd like to use JWT-based state, we can do that, too. 
We'll need to have a secret which we use to sign the JWT:

In [12]:
JWT_SECRET='itsaseekrit'   # really, *really* don't use this

In [13]:
state = auth.jwt_state(JWT_SECRET)

authorization_url, state = auth.authorization_url(
    service,
    client_id=CLIENT_ID,
    redirect_uri=REDIRECT_URI,
    scope=SCOPE,
    state=state)
print(authorization_url)

https://sb-auth.smarthealthit.org/authorize?response_type=code&client_id=9644d85e-07f0-4962-a78b-ab1bfe39c6d8&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fredirect&scope=launch+patient%2F%2A.%2A+openid+profile+offline_access+launch%2Fpatient&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MTI2MTcxMTh9.-TqwUIR9MC4aIrrPbSa2Z6to_LbsaO_KemcwAnOiCG0&aud=https%3A%2F%2Fsb-fhir-dstu2.smarthealthit.org%2Fsmartdstu2%2Fdata


In [14]:
webbrowser.open_new_tab(authorization_url)
authorization_response = input('What was the authorization response?')

What was the authorization response?http://localhost:5000/redirect?code=7PIv6s&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MTI2MTcxMTh9.-TqwUIR9MC4aIrrPbSa2Z6to_LbsaO_KemcwAnOiCG0


In [15]:
token = auth.fetch_token(
    service,
    client_id=CLIENT_ID,
    redirect_uri=REDIRECT_URI,
    authorization_response=authorization_response,
    client_secret=CLIENT_SECRET,
    state_validator=auth.jwt_state_validator(JWT_SECRET))
token

{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNjE2ODI3LCJqdGkiOiIxNmFhNjRkZC03MDI0LTQyMzMtODJjZi1lMmY1OTRlODcxNzAifQ.N9ho3P6PDAZ_g0yr2GpSB1MtaZqlfqh_ncPQM6y_vuVcvm0EWojC3pxRenKjX6tRgsK-g80Du2BEUO9MFjiOGL_6x0oyjncPAbiUyeqVA25xyZ9LKzfUq4WdnBaCcvelatxMk24BFhvaBQvQRV1oCZmGIetpYq9V1JWNsZ6NDIeID4_etReN4hMQboQ-rRpD6dp3ZyWk9eqLz_cD96Que4ZyOfIanKcmHjmSCMchGPu7XF5Ko9ijja5VO-uHSl_bAJVVjn7gF3Lf82cKOmf3vgI-gBp6QIKZts6oshz7TCY8I9rRtPUBrNUgU4n2Na6zgxdVcqOmx2RM8a1u6IGkeQ',
 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJkaXNwbGF5TmFtZSI6IkpvaG4gU21pdGgiLCJwcm9maWxlIjoiUHJhY3RpdGlvbmVyXC9TTUFSVC0xMjM0Iiwia2lkIjoicnNhMSIsImlzcyI6Imh0dHBzOlwvXC9zYi1hdXRoLnNtYXJ0aGVhbHRoaXQub3JnXC8iLCJleHAiOjE1MTI2MTc0MjcsImlhdCI6MTUxMjYxNjgyNywiZW1haWwiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIifQ.J

### Launch flow

The launch flow is similar, but everything starts from the EHR.

Navigate to your app and click the 'launch' button. 
Doing so will invoke similar code to what we've been doing here:

```python
@app.route('/launch')
def launch():
    iss = request.args['iss']
    launch = request.args.get('launch', None)
    conn = Connection(iss)
    md = conn.metadata
    service = md.rest[0]

    state = auth.jwt_state(JWT_SECRET)

    authorization_url, state = auth.authorization_url(
        service,
        client_id=CLIENT_ID,
        redirect_uri=REDIRECT_URI,
        scope=SCOPE,
        state=state,
        launch=launch)
    print(authorization_url)

    return redirect(authorization_url)
```

Note that you'll _probably_ want to do some checking on the `iss` (issuer) value that's sent to you so you know 
it's an EHR you recognize. 
Once we've 'bounced' off the launch page, and received the redirect from the EHR, we can save it again:

In [16]:
authorization_response = input('What was the authorization response? ')

What was the authorization response? http://localhost:5000/redirect?code=4CuIve&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MTI2MTcxMzR9.-JI70XGct-bDKvIsmAQ8dCSAHmeFXAs0gEYBBs-NusU


And now, just as before, we can get our authorization token:

In [17]:
token = auth.fetch_token(
    service,
    client_id=CLIENT_ID,
    redirect_uri=REDIRECT_URI,
    authorization_response=authorization_response,
    client_secret=CLIENT_SECRET,
    state_validator=auth.jwt_state_validator(JWT_SECRET))
token

{'access_token': 'eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJpc3MiOiJodHRwczpcL1wvc2ItYXV0aC5zbWFydGhlYWx0aGl0Lm9yZ1wvIiwiaWF0IjoxNTEyNjE2ODQ0LCJqdGkiOiIyMzA1ZWNmNy03OTRmLTQ1NTItOTg5Zi01ZmE3YzY4MzQ0NmIifQ.awo6qLyCP2vQdak_tu7msVFz7g-UkIGopIj2eKRAeqV222JOSDozGji0Gf6JORiXKdATrDcxnC-s6tkEeGHQfnNug9t0dtf42in2VDfmMnuG-7hEoDAzONG8JoaACs_Ki-qiZaM8fSoUz9isb-p8IKFct5KiHTXuK9H8nnYSJTpjBcheEKCGIF9vZ1Z0gIPkCXPOzgf_7fqpdr8eAsaxkXiGjY1zdTC6BqP3LeRNJLhMFXUEFruOr_dlVDLA1IABPPWpDbbt3zvJwvhT4lrOXlA146cqCzwl4Ybey6xAF_NKEB_xfZ999NZbylCJVYmg1jWNjmTp4pU-sAU1uWaBsQ',
 'id_token': 'eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIiLCJhdWQiOiI5NjQ0ZDg1ZS0wN2YwLTQ5NjItYTc4Yi1hYjFiZmUzOWM2ZDgiLCJkaXNwbGF5TmFtZSI6IkpvaG4gU21pdGgiLCJwcm9maWxlIjoiUHJhY3RpdGlvbmVyXC9TTUFSVC0xMjM0Iiwia2lkIjoicnNhMSIsImlzcyI6Imh0dHBzOlwvXC9zYi1hdXRoLnNtYXJ0aGVhbHRoaXQub3JnXC8iLCJleHAiOjE1MTI2MTc0NDQsImlhdCI6MTUxMjYxNjg0NCwiZW1haWwiOiJqb2huZ2xvYmFsQHNtYXJ0ZHN0dTIifQ.O