Receiving a SHOF launch
Requirements
The application created an
ActivityDefinition
.The user performing the launch must have an account on the shared IdP
Flow
When the launch arrives, the conformance is retrieved from the Koppeltaal Server. Here the authorize & token URL can be requested.
A redirect is sent to the authorize URL. The auth server will redirect the browser to a shared IdP using an OIDC code flow. If the launching platform does not use this shared IdP as a login mechanism, the user will have to login here as well. At the POC it is possible to create an account directly from this login screen. New users are given the role patient by default. The authorize call will check if the logged in user matches the user from the launch token.
A successful authorize call returns the
code
&state
parameters to theredirect_uri
. Note that thestate
(provided at the start of the/authorize
call) is returned to theredirect_uri
, this way you can find out which launch request is involved and, for example, relate to a specific user session.From the back-end, execute the Get Token request. Here, the
code
is exchanged for:an
id_token
(contains information of the logged in user asJWT
).A no-op
access_token
(not to be used on the Koppeltaal Server because it is user-specific).Additional context fields such as
task
, which the auth server fills based on the JWT provided as launch param.
By means of the context object it can be determined who, with which role, is logged on to the system and which task should be opened. When there is a valid response to this request, the user can be authenticated and e.g. a session can be created for the user.
Authorize Request
GET
https://auth-service.koppeltaal.headease.nl/oauth2/authorize
The URL should be determined from the Koppeltaal metadata
Query Parameters
Get Token
POST
https://authentication-service.koppeltaal.headease.nl/oauth2/token
The URL should be determined from the Koppeltaal metadata
Headers
Request Body
Topics
Last updated