INTEROPen
Security Scopes
Security Scopes can be managed in different ways inside Care Connect and FHIR. Within the RESTful version scopes can be defined which restrict access to profiles depending on the defined system or end user. Currently the Security Scopes provides an example of restricting access to certain profiles. However, in the future it might be possible to dynamically create Scopes on profiles. The CCRI provides a demonstration of OAuth2 Users & Scopes.
Please click on Security for background and understanding of the security considerations when creating your own implementation.
HTTP Request to Get An OAuthToken
The Reference Implementation REST APIs are secured as an example using the OAuth 2.0 protocol to authorise and authenticate calls. OAuth2 is an industry open standard for authorisation, providing secure access to protected resources thereby reducing the hassle of asking for a username and password every time a user logs in. The OAuth2 Token is described below:
URL: https://data.developer.nhs.uk/ccri-auth/token?grant_type=client_credentials&client_id={Client_Id}
Method: POST
Headers:
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {ClientID}:{Client Secret}
An OAuth2 response example is shown below:
Expected Response:
Status Code: 200
Headers:
Content-Type: application/json
Response Body:
{
"access_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI0MTNjMWZjYi0yMzVmLTQ4ZWQtYmIyOC01YzgwZTMwYjVlODQiLCJpc3MiOiJodHRwOlwvXC9wdXJwbGUudGVzdGxhYi5uaHMudWs6MjAwODBcLyIsImV4cCI6MTUxMzA5NjU3NywiaWF0IjoxNTEzMDkyOTc3LCJqdGkiOiJkNWE2MWM4Ny1iMjI5LTQ5ODctOTk3ZS01ZTJlOGZlNmIwNGQifQ.UthMhHtWWJFRFhrYV33AqJtL0nn6-Ca97-caTETRZkPZcO5quU2q5alP9Z1yJq1oSryl8lScrwScvxAOnHBWAA4tY-ViBq0m2sXjP-Gps2M_bCOmxjDV7aWOv_gou28QBus6cUHr-cocDtQXwYdzhoVMoFNmASG21ZvhDd15U6xUKHgL5J1sPGFsMmozJeI6EX99o1pwKCWLyBFHXtRp02fyXfC-IXy6EwDgZa5Vwqgwn_r9AbJ-IMQmCckQl2opQo6cD0Xn44H4jMC1iSsMhtr3PfGBoJuuWQ8aeU61hAB2XUPbH9uYHav-i8-lpE98WF088wu62qGAOTcCeGdCuQ",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "patient/Patient.read patient/Patient.write"
}
Authorisation Header
The value in the access token element of this response will then be passed in the Authorisation Header of subsequent requests. For Example:
URL: https://developer.nhs.uk/ccri/STU3/Patient/4
Method: GET
Headers:
Authorization: "Bearer eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI0MTNjM...88wu62qGAOTcCeGdCuQ"
OAuth2 Scopes
The following users can access Profiles within the Care Connect Reference Implementation. As such these OAuth2 users allows for the Mapping of Scopes to Profiles
| Credentials | Details (Please copy all details) |
|---|---|
| Grant Type | Client Credentials |
| Token name (example) | OAuth2-PatientAccess |
| Access Token URL | https://data.developer.nhs.uk/ccri-auth/token |
| Client Authentication | ‘Send as Basic Auth header’ |
Patient Access
Can only access the patient profiles.
| Credentials | Details (Please copy all details) |
|---|---|
| Client ID | patient-access |
| Client Secret | IShTVi8mRSV7bVREuU1freiDo79y_8fLX3BBw2nf2eIpv9A_r91VlVuF2LOiK_zLZAkBQCusEXLp_o6DEIgvaQ |
A full list of scopes is described below:
| Scopes | profile patient/Patient.read user/Patient.read |
Patient, Condition & Medication Access
Can only access a combination of patient, condition and medication profiles.
| Credentials | Details |
|---|---|
| Client Id | clinical-access |
| Client Secret | QOm0VcqJqa9stA1R0MJzHjCN_uYdo0PkY8OT68UCk2XDFxFrAUjajuqOvIom5dISjKshx2YiU51mXtx7W5UOwQ |
A full list of scopes is described below:
| Scopes | user/MedicationStatement.read patient/Immunization.read user/Patient.read patient/Condition.read user/MedicationOrder.read user/Condition.read user/Encounter.read profile patient/MedicationOrder.read patient/Patient.read patient/Observation.read patient/Encounter.read |
Limited Access
Can only access Publicly Available Information.
| Credentials | Details |
|---|---|
| Client ID | limited-access |
| Client Secret | AI8OGCYWjvnj-NY0zaP0H2e6_El_yO2pq43wK4YKk8UnBR_JZ5ivkmkXFtlkiL6LKWsL8H7ksab0V_Hk9c4OeMI |
A full list of scopes is described below:
| Scopes | profile |
Current Version
Functionality: Provide latest STU3 Care Connect profiles with example data for one care setting with audit of use and accessible by unsecure API interaction and also connect securely via OAuth2 (including an example of using scopes)
Delivered: 26th March 2019
Link: Reference Implementation - web interface
Check out Versions for more information about the current released version, downloading options, use and future verions.
Contribute
This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.