Python example illustrating HTTP interactions with HSPC SMART Sandbox ...  
Log in, acquire bearer token, get userinfo, and query FHIR server.

In [None]:
import getpass
import requests
import urllib
import uuid

define username and password

In [None]:
username = 'jschneid@nmdp.org'
password = getpass.getpass()

other configuration settings

In [None]:
hostname_prefix = 'cibmtr-smart-dev'
auth_server = 'https://{0}-auth.b12x.org'.format(hostname_prefix)
aud = 'https://{0}-stu3.b12x.org/smartstu3/data'.format(hostname_prefix)
sandman_url = 'https://{0}-sandman.b12x.org/'.format(hostname_prefix)
security_check_login_url = '{0}/j_spring_security_check'.format(auth_server)
client_id = 'sand_man'
response_type = 'code'
scope = 'smart/orchestrate_launch user/*.* profile openid'
submit = 'Sign in'

uncomment the following to authenticate as web-agnis-fhir-submission app (instead of sandbox manager) 

In [None]:
#sandman_url = 'http://agnissubmission.b12x.org/'
#client_id = 'web-agnis-fhir-submission'

generate random state value for this login request

In [None]:
state = str(uuid.uuid4())

See also:  
https://requests.readthedocs.io

get CapabilityStatement  
should include "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris" security extension, containing "authorize", "token", "register", and "launch-registration" URLs  
(currently ignored by this code)

In [None]:
aud_metadata_url = '{0}/metadata'.format(aud)
r = requests.get(aud_metadata_url)

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.json()   # should be CapabilityStatement containing security extension for oauth-uris
# TODO:  parse CapabilityStatement to obtain "authorize" and "token" URIs programmatically

In [None]:
authorize_url_fmt = '{0}/authorize?client_id={1}&response_type={2}&scope={3}&redirect_uri={4}&state={5}&aud={6}'
authorize_url = authorize_url_fmt.format(auth_server, urllib.parse.quote(client_id, safe=''), urllib.parse.quote(response_type, safe=''), urllib.parse.quote(scope, safe=''), urllib.parse.quote(sandman_url, safe=''), urllib.parse.quote(state, safe=''), urllib.parse.quote(aud, safe=''))

In [None]:
authorize_url

In [None]:
r = requests.get(authorize_url, allow_redirects=False)

In [None]:
r.status_code   # should be 302 (redirect)

In [None]:
r.headers['set-cookie']

In [None]:
jsessionid = r.cookies.get('JSESSIONID')   # get JSESSIONID cookie
jsessionid

In [None]:
r.headers['location']   # redirect location should be auth server's /login page

In [None]:
r = requests.get(r.headers['location'], cookies=dict(JSESSIONID=jsessionid))

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.url

In [None]:
authorize_url

In [None]:
r = requests.post(
    security_check_login_url,
    data = {'username': username, 'password': password, 'redirectUrl': authorize_url, 'submit': submit},
    cookies = dict(JSESSIONID=jsessionid),
    allow_redirects=False)

In [None]:
r.status_code   # should be 302 (redirect)

In [None]:
r.headers['location']   # should be same as authorize_url (the previous request's redirectUrl)

In [None]:
authorize_url == r.headers['location']   # should be True

In [None]:
r.headers['set-cookie']   # new JSESSIONID cookie value (?)

In [None]:
jsessionid2 = r.cookies.get('JSESSIONID')
jsessionid2

In [None]:
jsessionid == jsessionid2   # should be False

In [None]:
r = requests.get(   # using jsessionid2 now -- requesting authorization code
    r.headers['location'],
    cookies=dict(JSESSIONID=jsessionid2),
    allow_redirects=False)

In [None]:
r.status_code   # should be 302 (redirect)

In [None]:
r.headers['location']   # should be sandman home page (the previous request's redirect_uri), with code parameter added

In [None]:
parsed_url = urllib.parse.urlsplit(r.headers['location'])
parsed_url

In [None]:
parsed_url[3]

In [None]:
code = urllib.parse.parse_qs(parsed_url[3])['code'][0]
code

In [None]:
token_url = '{}/token'.format(auth_server)
r = requests.post(
    token_url,
    data = {'code': code, 'grant_type': 'authorization_code', 'redirect_uri': sandman_url, 'client_id': client_id},
    allow_redirects=False)

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.json()   # JSON containing bearer token (access_token)

In [None]:
token_json = r.json()

In [None]:
token_json['scope']

In [None]:
scope   # requested scope -- should be equivalent to granted token_json['scope']

In [None]:
'Bearer' == token_json['token_type']   # should be True

In [None]:
bearer_token = 'BEARER ' + token_json['access_token']
bearer_token

In [None]:
r = requests.options(aud_metadata_url)

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r = requests.get(aud_metadata_url)

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.json()  # should be CapabilityStatement

In [None]:
userinfo_url = '{}/userinfo'.format(auth_server)
r = requests.options(userinfo_url)

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r = requests.post(userinfo_url, headers={'authorization': bearer_token})

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.json()

In [None]:
patient_query_url = '{}/Patient?_sort:asc=family&_sort:asc=given&name=&_count=50'.format(aud)
patient_query_url

In [None]:
r = requests.options(patient_query_url)

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r = requests.get(patient_query_url, headers={'authorization': bearer_token})

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.json()   # patient list (FHIR Bundle)

log out ...

In [None]:
logout_url = '{0}/logout?hspcRedirectUrl={1}'.format(auth_server, sandman_url)
r = requests.get(logout_url, cookies=dict(JSESSIONID=jsessionid2))

In [None]:
r.status_code   # should be 200 (success)

In [None]:
r.history   # should contain one <Response [302]>

In [None]:
r.url   # should be sandman server's home page

-----
**TODO -- replicate the above using fhirclient ??** ...

See also:  
https://smart-on-fhir.github.io/client-py  
https://github.com/smart-on-fhir/client-py

In [None]:
from fhirclient import client

In [None]:
settings = {
    'app_id': client_id,
    #'app_secret': '',
    'api_base': aud,
    'redirect_uri': sandman_url,
    #'patient_id': '',
    'scope': token_json['scope'],
    #'launch_token': ''
}
smart = client.FHIRClient(settings=settings)

In [None]:
smart.ready

In [None]:
smart.authorize_url

In [None]:
smart.prepare()

In [None]:
smart.authorize_url # is None

In [None]:
import fhirclient.models.patient as p

In [None]:
patient = p.Patient.read('2341', smart.server)