An example express app supporting SMART on FHIR. Supports multiple browser tabs protected by a shared cookie
Remember npm install, of course
In one terminal, run the server:
node -r dotenv/config . dotenv_config_path=config/smart-launch.env
In another terminal, run Caddy to to add TLS:
caddy reverse-proxy --from localhost -to localhost:3000
Open the SMART App Launcher (hyperlink has user, patients and app URL prefilled)
The launcher is set to launch the app in an iframe, and the app is set to allow the launcher to frame it. Launch the app twice, choosing a different patient each time. Click refresh in each tab to verify they preserve the patient context.
By default, this app allows one session to have 4 tabs open. You can override this with the MAX_TAB_COUNT env variable in your .env file:
...
MAX_TAB_COUNT=6
...
Copy config/smart-launch.env, to create a new config/<config name>.env file this instance of your app. This example only supports one auth server/FHIR server at a time.
Register a client with redirect_uri of https://localhost/callback and register a client secret. Add your client_id and client_secret to your .env file as CLIENT_ID and CLIENT_SECRET.
The env file includes anoter secret:
...
SECRET=LONG_RANDOM_VALUE
...
SECRET is how this app signs your cookies. Whenever make a new .env file, '''cnange the SECRET'''. This makes sure that switching the app between multiple auth servers doesn't leave old cookies behind. Try openssl rand -hex 32 to create a new secret for every server.
The OIDC_ISS and FHIR_ISS environment variables determine what authorization server and FHIR server (respectively) your app will interact with.
The FHIR_ISS should match the iss from the SMART App Launch. It's also known as the FHIR base URL. Some example FHIR_ISS are:
- SMART App Launcher: https://launch.smarthealthit.org/v/r4/fhir
- Epic on FHIR sandbox: https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4 (DSTU2,STU3 also supported)
The OIDC_ISS is a bit trickier. This should be the base URL that supports the /.well-known/openid-configuration endpoint, which returns the auth server's OIDC metadata. This can vary by auth server, and isn't discoverable. It will also be the iss parameter within id_tokens (note, here iss is very different from the FHIR_ISS). Some example OIDC_ISS are:
- SMART App Launcher: https://launch.smarthealthit.org/v/r4/fhir (same as FHIR_ISS)
- Epic on FHIR sandbox: https://fhir.epic.com/interconnect-fhir-oauth/oauth2
This app allows iframing if you provide it with an expected origin in your .env file:
...
FRAMER_ORIGIN="https://launch.smarthealthit.org/"
This origin can include a wildcard (example: https://*.smarthealthit.org), and is used to populate the X-Frame-Options header or frame-ancestors header, depending on the browser's User-Agent (looking for Trident, indicating internet explorer). The following table shows the behavior:
TODO
node -r dotenv/config . dotenv_config_path=config/<config name>.env