INTEROPen
Security Quickstart
This page describes a quickstart for users of the CCRI to explore a secure API connection to the CCRI. The security challenges are descried in more detail in the Security section of the this Implementation Guide. The rest of this guide concentrates on how to:
- Pre-registered OAuth2 Client - Access via Postman
- Register OAuth2 Client - Access via an OAuth2 negotiated server
To deploy a live instance of a Care Connect API where data is hosted and shared across system and organisational boundaries, please refer to Security for background and understanding of the security considerations when creating your own implementation.
Pre-registered OAuth2 Client
To Authenticate and connect with the CCRI via Postman emulates how a backend server might establish a secure connection. The following screenshots show how to use the Care Connect Reference Implementation via Postman. The 7 steps shown below are:
- Access Secure Endpoint
- Select OAuth2
- Get New Access Token
- Request Token - please use list of Security Scopes
- Use Access Token
- Send Secure Request
Get new access token
Access Secure Endpoint & Select OAuth2
Use Access Token
client-credentials grant. Please check OAuth2 documentation for the most appropriate grant for your setting.Please click the Security Scopes for a list of example scopes and access tokens.
Get New Access Token (expiry 90 mins), copy the details below this screenshot.
Create Access Token example for Patient only access, please see Security Scopes for more example scopes:
| Credentials | Details (Please copy all details) |
|---|---|
| Grant Type | Client Credentials |
| Token name (example) | OAuth2-PatientAccess |
| Access Token URL | https://data.developer.nhs.uk/ccri-auth/token |
| Client ID | patient-access |
| Client Secret | IShTVi8mRSV7bVREuU1freiDo79y_8fLX3BBw2nf2eIpv9A_r91VlVuF2LOiK_zLZAkBQCusEXLp_o6DEIgvaQ |
| Client Authentication | ‘Send as Basic Auth header’ |
There are three steps the first time you use the token with the Reference Implementation:
- Get new access token
- Ensure you only have one active token (expiry every 90 mins)
- Use the access token in a Request (The URL is the same as before but with the https:// prefix)
Send Request
Send Secure Request
Register a OAuth2 Client
Access via an OAuth2 client demonstrates how a website / mobile app could interact with an end user. The starting point for this lies in the Capability Statement (example) of a FHIR Server which indicates the location of the Authorisation Server.
The CapabilityStatement indicates secure access can be obtained by registering the client at https://developer.nhs.uk/ccri-auth/register.
As a demonstration of how this can be achieved using an Authorisation Server user interface, please follow this link below and log into the OAuth2 server using a Google Id by clicking on Log In (top right hand corner).
CareConnect Authorisation Server
Register to the OAuth2 Client
Select ‘Self-service client registration’ from the menu and then select ‘+ New Client’.
Complete your details, for details on Access Scopes please see SMART on FHIR - Scopes and Launch Context.
Take a note of the client_id and client_secret they will be used to establish the secure connection. The diagram below shows a redacted screenshot of an example access token.
client_id and client_secret to establish the secure connection.Current Version
Functionality: Provide latest STU3 Care Connect profiles with example data for one care setting with audit of use and accessible by unsecure API interaction and also connect securely via OAuth2 (including an example of using scopes)
Delivered: 26th March 2019
Link: Reference Implementation - web interface
Check out Versions for more information about the current released version, downloading options, use and future verions.
Contribute
This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.