The following descriptions provide a high level overview of what can be accessed with the security access provided to access the Care Connect Reference Implementation.
The data exposed by the secure Requests are identical to the standard REST Requests of the FHIR Care Connect API. The scopes demonstrated within the security demonstrate profile restriction on the HTTP REST API of a specific user/system/role. This will depend on specific systems.
The Reference Implementation provides examples based on restricted Users. Each User has a set of Scopes and in order to access certain Profiles the user requires a specific Scope on their profile.
The security is managed by a OAuth2 Server. We have setup ours on a separate box or you can follow the instructions provided by the Care Access Service (coming soon). Before your application can access secured Reference Implementation API data, it must obtain an access token that grants access to that API. A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access-token request, your application sends one or more values in the scope parameter.
At the moment these scopes are restricted to the examples shown. In future it might be possible to dynamically create Scopes on profiles. The Reference Implementation provides a demonstration of OAuth2 Users & Scopes.
To aid in the use of OAuth2 with the Reference Implementation we have provided a step by step guide on using Postman to Authentice and connect with the Care Connect Reference Implementation.
Resource scope required to access (at least 1 of)
|Resource name||Permitted scopes|
Postman usage examples
The following screenshots show how to use the Care Connect Reference Implementation via Postman. The 6 steps shown below are:
- Access Secure Endpoint
- Select OAuth2
- Get New Access Token
- Request Token - please use list of Security Scopes
- Use Access Token
- Send Secure Request
Get new access token
Access Secure Endpoint & Select OAuth2
Use Access Token
Please click the Security Scopes for a list of example scopes and access tokens.
Get New Access Token (expiry 90 mins), copy the details below this screenshot.
Create Access Token example for Patient only access, please see Security Scopes for more example scopes:
|Credentials||Details (Please copy all details)|
|Grant Type||Client Credentials|
|Token name (example)||OAuth2-PatientAccess|
|Access Token URL||http://purple.testlab.nhs.uk:20080/token|
|Client Authentication||‘Send as Basic Auth header’|
There are three steps the first time you use the token with the Reference Implementation:
- Get new access token
- Ensure you only have one active token (expiry every 90 mins)
- Use the access token in a Request (The URL is the same as before but with the https:// prefix)
Send Secure Request
Functionality: Provide 14 STU3 (PractionerRole added in STU3) Care Connect profiles with example data for one care setting with audit of use and accessible by unsecure API interaction and also connect securly via OAuth2 (including an example of using scopes)
Delivered: 12th January 2018
Link: Reference Implementation - web interface
Check out Versions for more information about the current released version, downloading options, use and future verions.
This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.