** Note that all patient data is synthetic **

In [1]:
import requests
import base64
import hashlib
import os
import re

# Using `smart.argo.run`

Server configuration: https://smart.argo.run/?auth_error=&fhir_version_1=r4&fhir_version_2=r4&iss=&launch_pt=1&launch_url=&patient=&prov_skip_auth=1&provider=&pt_skip_auth=1&public_key=&sb=&sde=&token_lifetime=15&user_pt=689892bd-dcbe-41fc-8651-38a1d0893854%2Cfc200fa2-12c9-4276-ba4a-e0601d424e55

In [2]:
SMART_BASE_URL = "https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/fhir/"
AUNDREA_GRANT_PATIENT_ID = "689892bd-dcbe-41fc-8651-38a1d0893854"
BRUNO_BERNHARD_PATIENT_ID = "fc200fa2-12c9-4276-ba4a-e0601d424e55"

## Scenario 0

In [4]:
DISCOVERY_PATH = ".well-known/smart-configuration"

In [5]:
smart_config = requests.get(SMART_BASE_URL + DISCOVERY_PATH).json()

Payload includes `permission_v2` and `authorize-post` capabilities ✔️:

In [24]:
smart_config["capabilities"]

['launch-ehr',
 'launch-standalone',
 'client-public',
 'client-confidential-symmetric',
 'context-passthrough-banner',
 'context-passthrough-style',
 'context-ehr-patient',
 'context-ehr-encounter',
 'context-standalone-patient',
 'context-standalone-encounter',
 'permission-offline',
 'permission-patient',
 'permission-user',
 'permission-v2',
 'authorize-post']

`code_challenge_methods_supported` includes `S256` ✔️:

In [25]:
smart_config["code_challenge_methods_supported"]

['S256']

`introscpection_endpoint` included ✔️:

In [26]:
smart_config["introspection_endpoint"]

'https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/auth/introspect'

## Scenario 1

Requesting `patient/Observation.rs` scope and being granted that scope ✔️:

In [27]:
authorize_url = smart_config["authorization_endpoint"]
token_url = smart_config["token_endpoint"]

redirect_uri = "http://localhost:8000/index.html"

client_id = "client_id"
client_secret = "client_secret"

aud = SMART_BASE_URL

scopes = "patient/Observation.rs"

authorization_redirect_url = "{}?client_id={}&response_type=code&scope={}&redirect_uri={}&aud={}&patient={}".format(authorize_url, 
                                                                                                  client_id, 
                                                                                                  scopes, 
                                                                                                  redirect_uri,
                                                                                                  aud,
                                                                                                  AUNDREA_GRANT_PATIENT_ID)
    
print("Navigate to: ", authorization_redirect_url + "\n")

authorization_code = input('authz code: ')

headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'}
data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': redirect_uri, 'client_id': client_id}
access_token_response = requests.post(token_url, data=data, headers=headers)

print("\nScopes Granted: " + access_token_response.json()['scope'])

Navigate to:  https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/auth/authorize?client_id=client_id&response_type=code&scope=patient/Observation.rs&redirect_uri=http://localhost:8000/index.html&aud=https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/fhir/&patient=689892bd-dcbe-41fc-8651-38a1d0893854

authz code: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7Im5lZWRfcGF0aWVudF9iYW5uZXIiOnRydWUsInNtYXJ0X3N0eWxlX3VybCI6Imh0dHBzOi8vc21hcnQuYXJnby5ydW4vL3NtYXJ0LXN0eWxlLmpzb24ifSwiY2xpZW50X2lkIjoiY2xpZW50X2lkIiwic2NvcGUiOiJwYXRpZW50L09ic2VydmF0aW9uLnJzIiwiaWF0IjoxNjIxMzY1ODU4LCJleHAiOjE2MjEzNjYxNTh9.2OKcUuJMPzcNn7LBVQxj7lZjU8zobC9z-GK9TuB47B0

Scopes Granted: patient/Observation.rs


Fails when bad `aud` is passed ✔️:

In [28]:
authorize_url = smart_config["authorization_endpoint"]
token_url = smart_config["token_endpoint"]

redirect_uri = "http://localhost:8000/index.html"

client_id = "client_id"
client_secret = "client_secret"

aud = "gibberish"

scopes = "patient/Observation.rs"

authorization_redirect_url = "{}?client_id={}&response_type=code&scope={}&redirect_uri={}&aud={}&patient={}".format(authorize_url, 
                                                                                                  client_id, 
                                                                                                  scopes, 
                                                                                                  redirect_uri,
                                                                                                  aud,
                                                                                                  AUNDREA_GRANT_PATIENT_ID)
    
print("Navigate to: ", authorization_redirect_url + "\n")

authorization_code = input('authz code: ')

headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'}
data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': redirect_uri, 'client_id': client_id}
access_token_response = requests.post(token_url, data=data, headers=headers)

print("\nScopes Granted: " + access_token_response.json()['scope'])

Navigate to:  https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/auth/authorize?client_id=client_id&response_type=code&scope=patient/Observation.rs&redirect_uri=http://localhost:8000/index.html&aud=gibberish&patient=689892bd-dcbe-41fc-8651-38a1d0893854



KeyboardInterrupt: Interrupted by user

## Scenario 3
*Scenario 1 (with POST-based authorization)* ✔️

In [6]:
authorize_url = smart_config["authorization_endpoint"]
token_url = smart_config["token_endpoint"]

redirect_uri = "http://localhost:8000/index.html"

client_id = "client_id"
client_secret = "client_secret"

aud = SMART_BASE_URL

scopes = "patient/Observation.rs"

# Creating HTML page for POST
html = """<html>
  <body onload="javascript:document.forms[0].submit()">
    <form method="post" action="{}">
      <input type="hidden" name="response_type" value="code"/>
      <input type="hidden" name="client_id" value="{}"/>
      <input type="hidden" name="redirect_uri" value="{}"/>
      <input type="hidden" name="scope" value="{}"/>
      <input type="hidden" name="aud" value="{}"/>
    </form>
  </body>
</html>""".format(authorize_url, client_id, redirect_uri, scopes, aud)

f = open("post-authorization.html", "w")
f.write(html)
f.close()

print("Open the post-authorization.html file\n")

authorization_code = input('authz code: ')

headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'}
data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': redirect_uri, 'client_id': client_id}
access_token_response = requests.post(token_url, data=data, headers=headers)

print("\nScopes Granted: " + access_token_response.json()['scope'])

Open the post-authorization.html file

authz code: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7Im5lZWRfcGF0aWVudF9iYW5uZXIiOnRydWUsInNtYXJ0X3N0eWxlX3VybCI6Imh0dHBzOi8vc21hcnQuYXJnby5ydW4vL3NtYXJ0LXN0eWxlLmpzb24ifSwiY2xpZW50X2lkIjoiY2xpZW50X2lkIiwic2NvcGUiOiJwYXRpZW50L09ic2VydmF0aW9uLnJzIiwiaWF0IjoxNjIxNDI3ODc0LCJleHAiOjE2MjE0MjgxNzR9.2HTpWxcN_Fp-InAMtoSU1TzgGn7M4ePdH9Hu8X5z70A

Scopes Granted: patient/Observation.rs


*Scenario 1 (with POST-based authorization + PKCE)* ✔️

Generate `code_verifier` and `code_challenge` (Source: https://www.stefaanlippens.net/oauth-code-flow-pkce.html)

In [7]:
code_verifier = base64.urlsafe_b64encode(os.urandom(70)).decode('utf-8')
code_verifier = re.sub('[^a-zA-Z0-9]+', '', code_verifier)

code_challenge_method = "S256"

code_challenge = hashlib.sha256(code_verifier.encode('utf-8')).digest()
code_challenge = base64.urlsafe_b64encode(code_challenge).decode('utf-8')
code_challenge = code_challenge.replace('=', '')
code_challenge, len(code_challenge)

('nJZiBFHyFfW4KlSFWps61b9vtRiixardOxW7qOQDMoo', 43)

In [8]:
authorize_url = smart_config["authorization_endpoint"]
token_url = smart_config["token_endpoint"]

redirect_uri = "http://localhost:8000/index.html"

client_id = "client_id"
client_secret = "client_secret"

aud = SMART_BASE_URL

scopes = "patient/Observation.rs"

# Creating HTML page for POST
html = """<html>
  <body onload="javascript:document.forms[0].submit()">
    <form method="post" action="{}">
      <input type="hidden" name="response_type" value="code"/>
      <input type="hidden" name="client_id" value="{}"/>
      <input type="hidden" name="redirect_uri" value="{}"/>
      <input type="hidden" name="scope" value="{}"/>
      <input type="hidden" name="aud" value="{}"/>
      <input type="hidden" name="code_challenge_method" value="{}"/>
      <input type="hidden" name="code_challenge" value="{}"/>
    </form>
  </body>
</html>""".format(authorize_url, client_id, redirect_uri, scopes, aud, code_challenge_method, code_challenge)

f = open("post-authorization.html", "w")
f.write(html)
f.close()

print("Open the post-authorization.html file\n")

authorization_code = input('authz code: ')

headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'}
data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': redirect_uri, 'client_id': client_id, 'code_verifier': code_verifier}
access_token_response = requests.post(token_url, data=data, headers=headers)

print("\nScopes Granted: " + access_token_response.json()['scope'])

Open the post-authorization.html file

authz code: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7Im5lZWRfcGF0aWVudF9iYW5uZXIiOnRydWUsInNtYXJ0X3N0eWxlX3VybCI6Imh0dHBzOi8vc21hcnQuYXJnby5ydW4vL3NtYXJ0LXN0eWxlLmpzb24ifSwiY2xpZW50X2lkIjoiY2xpZW50X2lkIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsImNvZGVfY2hhbGxlbmdlIjoibkpaaUJGSHlGZlc0S2xTRldwczYxYjl2dFJpaXhhcmRPeFc3cU9RRE1vbyIsInNjb3BlIjoicGF0aWVudC9PYnNlcnZhdGlvbi5ycyIsImlhdCI6MTYyMTQyODIyNywiZXhwIjoxNjIxNDI4NTI3fQ.jocYxa7RfN12pMtkvzjzcD2qJxq8oG4LloBXnxnqDCE

Scopes Granted: patient/Observation.rs


## Scenario 4

*Scenario 1 (with PKCE)* ✔️

Generate `code_verifier` and `code_challenge` (Source: https://www.stefaanlippens.net/oauth-code-flow-pkce.html)

In [72]:
code_verifier = base64.urlsafe_b64encode(os.urandom(70)).decode('utf-8')
code_verifier = re.sub('[^a-zA-Z0-9]+', '', code_verifier)

#code_verifier = "fnhyaHlSX3E3OHhKcmJNQkRofmJBdFNsT1ZkanR5X20tQ0FRR0xjZFhjRUwxSDZjckQwMkRwQXM0cX5saDM1Y2tNc2M1VS1JejZyTE5uV1MxSGxOSDVzdWt2bm5pLkhq"

code_challenge_method = "S256"

code_challenge = hashlib.sha256(code_verifier.encode('utf-8')).digest()
code_challenge = base64.urlsafe_b64encode(code_challenge).decode('utf-8')
code_challenge = code_challenge.replace('=', '')
code_challenge, len(code_challenge)

('8ZwwkLtcJh2uF1dMYt-D1bZpMMgr3i5BZXQgx0UYYfk', 43)

In [75]:
authorize_url = smart_config["authorization_endpoint"]
token_url = smart_config["token_endpoint"]

redirect_uri = "http://localhost:8000/index.html"

client_id = "client_id"
client_secret = "client_secret"

aud = SMART_BASE_URL

scopes = "patient/Observation.rs"

authorization_redirect_url = "{}?client_id={}&response_type=code&scope={}&redirect_uri={}&aud={}&patient={}&code_challenge={}&code_challenge_method={}".format(authorize_url, 
                                                                                                  client_id, 
                                                                                                  scopes, 
                                                                                                  redirect_uri,
                                                                                                  aud,
                                                                                                  AUNDREA_GRANT_PATIENT_ID,
                                                                                                  code_challenge,
                                                                                                  code_challenge_method)
    
print("Navigate to: ", authorization_redirect_url + "\n")

authorization_code = input('authz code: ')

headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'}
data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': redirect_uri, 'client_id': client_id, 'code_verifier': code_verifier}
access_token_response = requests.post(token_url, data=data, headers=headers)

print("\nScopes Granted: " + access_token_response.json()['scope'])

Navigate to:  https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/auth/authorize?client_id=client_id&response_type=code&scope=patient/Observation.rs&redirect_uri=http://localhost:8000/index.html&aud=https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImoiOiIxIiwiYiI6IjY4OTg5MmJkLWRjYmUtNDFmYy04NjUxLTM4YTFkMDg5Mzg1NCxmYzIwMGZhMi0xMmM5LTQyNzYtYmE0YS1lMDYwMWQ0MjRlNTUifQ/fhir/&patient=689892bd-dcbe-41fc-8651-38a1d0893854&code_challenge=8ZwwkLtcJh2uF1dMYt-D1bZpMMgr3i5BZXQgx0UYYfk&code_challenge_method=S256

authz code: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7Im5lZWRfcGF0aWVudF9iYW5uZXIiOnRydWUsInNtYXJ0X3N0eWxlX3VybCI6Imh0dHBzOi8vc21hcnQuYXJnby5ydW4vL3NtYXJ0LXN0eWxlLmpzb24ifSwiY2xpZW50X2lkIjoiY2xpZW50X2lkIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsImNvZGVfY2hhbGxlbmdlIjoiOFp3d2tMdGNKaDJ1RjFkTVl0LUQxYlpwTU1ncjNpNUJaWFFneDBVWVlmayIsInNjb3BlIjoicGF0aWVudC9PYnNlcnZhdGlvbi5ycyIsImlh