### Working with SMART on FHIR ID Tokens

##### !pip3 install python-jose
##### https://hl7.org/implement/standards/fhir/smart-app-launch/1.0.0/worked_example_id_token/

In [1]:
from cryptography.hazmat.primitives.asymmetric import rsa
import json
import jose.jwk
import jose.jwt
import jose.constants

#### Setup
To create self-contained example, we'll generate a new RSA Key for a fake organization called "my-ehr.org", and we'll use that for the operations below.

In [2]:
key = rsa.generate(key_size=2048)

private = key.exportKey('PEM').decode()
public = key.publickey().exportKey().decode()
# print(public, "\n\n", private)

AttributeError: module 'cryptography.hazmat.primitives.asymmetric.rsa' has no attribute 'generate'

#### Creating an ID Token (for servers)
Servers will create a signed JWT by following a process like this.

##### Create a set of claims
These should include:
```
sub: the user 
aud: the app for whom this ID Token is being produced
iss: an identifier for this EHR system)
profile: the absolute URL of the FHIR resource representing the current user
```
##### Encode them in a JWT
Signing with the server's private key

In [None]:
claims = {
  "sub": "Ashok",
  "aud": "penguin",
  "iss": "https://my-ehr.org/fhir",
  "fhirUser": "https://my-ehr.org/fhir/Practitioner/123"
}


id_token = jose.jwt.encode(
    claims,
    key,
    algorithm='RS384')

# print(id_token)

#### Validating and using an ID Token (for clients)

A client obtains the ID Token as the result of an authorization operation. To validate the token, the client fetches the servers's public key, and then decodes the token. While decoding the token, the client must verify that the audience ('aud') matches its own client_id.

In [None]:
jose.jwt.decode(id_token, public, audience='penguin')

In [None]:
from jose import jwt
token = jwt.encode({'key': 'value'}, 'secret', algorithm='HS256')