Skip to main content

smart_backend_auth

SMART Backend authentication.

Implementation of FHIR SMART Backend authentication as described in the SMART App Launch specification: https://build.fhir.org/ig/HL7/smart-app-launch/backend-services.html

Module

Functions

generate_ec_key_pair

def generate_ec_key_pair(    key_directory: Path,    kid: str = 'default',)> AsymmetricEncryptionKeyPair[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey]:

Generates a new EC key pair for use with ES384 (ECDSA with P-384 and SHA-384).

generate_key_pair

def generate_key_pair(    alg: SupportedAlg, kid: str = 'default',)> SmartBackendKeys:

Create RSA or EC key files on disk and return a signing JWK for that material.

Used when a pod has no inline SMARTBackendKeyPair in config: the first supported algorithm from the FHIR server's well-known metadata is chosen

Arguments

  • alg: Whether to generate RS384 (RSA) or ES384 (P-384 ECDSA) keys.
  • kid: Key identifier; defaults to default.

Returns Frozen record with the loaded private JWK and chosen alg / kid.

generate_rsa_key_pair

def generate_rsa_key_pair(    key_directory: Path,    kid: str = 'default',)> AsymmetricEncryptionKeyPair[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey]:

Generates a new RSA key pair for use with RS384 (RSA signature with SHA-384).

Classes

SMARTBackendAuth

class SMARTBackendAuth(config: SMARTBackendEHRConfig, hub: BitfountHub):

SMART Backend Services auth: OAuth2 client credentials with private_key_jwt.

Discovers token_endpoint from {base_url}/.well-known/smart-configuration, signs a short-lived JWT assertion with the configured or disk-backed key, and exchanges it for bearer tokens used on FHIR requests.

Methods

get_token

def get_token(self)> str:

Obtains a bearer token from the SMART token endpoint.

https://build.fhir.org/ig/HL7/smart-app-launch/backend-services.html#obtain-access-token

SmartBackendKeys

class SmartBackendKeys(private_jwk: JoseJWKKey, public_key_pem: str, alg: str, kid: str):

Holds SMART Backend signing key material (private JWK, public PEM, alg, kid).

Variables

  • static alg : str
  • static kid : str
  • static private_jwk : jose.backends.base.Key
  • static public_key_pem : str

SupportedAlg

class SupportedAlg(*args, **kwds):

JWT signing algorithms supported for SMART Backend client authentication.

Ancestors

Variables

  • static ES384
  • static RS384