SlideShare a Scribd company logo

How to Build an Indivo X Personal Health App

B
Ben Adida

Details on building an app for the Indivo X Personally Controlled Health Record

Health & Medicine
1 of 39
Download to read offline
How to build an Indivo X Personal Health App Ben Adida Indivo X Users Meeting 15 April 2010
Demo
Four Steps 1. Scope and framing of your app 2. Authentication and Authorization 3. REST API calls 4. UI widgets
Basic Terminology • Account • Record • PHA / User App • Admin App • (Chrome App)
1. Scope Screen Real-Estate controlled by PHA
For Example
Anatomy of a PHA • name • start URL “Problems” http://problems/auth/start • description • post-auth URL “track your problems” http://problems/auth/after • principal email • consumer key problems@apps.indivo.org 838xdnwk-sdf-werkj34 • data use agreement: • consumer secret what the app intends to do 23lnbls-235lnsdf-2343 with the data it reads from the record.
2. Auth
Components Access Token Indivo Server PHA User's Browser
OAuth Protocol consumer_token consumer_secret Indivo Server signed PHA (Data Service) HTTP+POX (Consumer) authentication HMAC-SHA1 RSA-SHA1 .... User's Browser
With the first click...
begin the auth process IFRAME directed to the PHA’s start URL with parameter record_id
User's Indivo PHA Browser Server add GET request_token Connection Step (1) token REDIRECT authorize
authorize the app
User's Indivo PHA Browser Server REDIRECT authorize Authorization Process Connection Step (2) post-add
redirect to app IFRAME directed to the PHA’s post-auth URL which finishes the oAuth process
User's Indivo PHA Browser Server post-add GET access_token Connection token Step (3)
User's Indivo PHA Browser Server token GET data Interaction Phase data
OAuth Request Authorization: OAuth realm="https://indivohealth.org/", oauth_consumer_key="0685bd9184jfhq22", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
The code must be awfully complicated ...
def get_indivo_client(request, with_token=True): client = IndivoClient(CONSUMER_KEY, CONSUMER_SECRET, INDIVO_SERVER_LOCATION) if with_token: client.update_token(request.session['token']) return client
def start_auth(request): client = get_indivo_client(request, with_token=False) # do we have a record_id? record_id = request.GET.get('record_id', None) # prepare request token parameters params = {‘record_id’: record_id} # request a request token request_token = parse_token_from_response( client.post_request_token(data=params)) # store the request token in the session request.session['token'] = request_token # redirect to the UI server return HttpResponseRedirect (settings.INDIVO_UI_SERVER_BASE + '/oauth/authorize? oauth_token=%s' % request_token['oauth_token'])
def after_auth(request): # get the token and verifier from the URL parameters # retrieve request token stored in the session client = get_indivo_client(...) # exchange request token for access token access_token = parse_token_from_response (client.post_access_token(data={'oauth_verifier' : oauth_verifier})) # store stuff in the session request.session['access_token'] = access_token # get record ID that came back with token request.session['record_id'] = access_token['xoauth_indivo_record_id'] # go to list of problems return HttpResponseRedirect(reverse(problem_list))
3. REST API Calls
get data, e.g. problem list
web platform model Access Token Indivo Server PHA User's Browser
def problem_list(request): client = get_indivo_client(request) record_id = request.session['record_id'] # get record information record_xml = client.read_record(record_id = record_id) # get problem list from most recent to oldest problems_xml = client.read_problems(record_id = record_id, parameters={'order_by': '-date_onset'})
def new_problem(request): # get the variables and create a problem XML params = ... problem_xml = render_raw('problem', params, type='xml') # add the problem client = get_indivo_client(request) client.post_document(record_id = request.session ['record_id'], data=problem_xml) # add a notification client.record_notify(record_id = request.session ['record_id'], data={'content':'a new problem has been added to your problem list'}) return HttpResponseRedirect(reverse(problem_list))
Other API calls • get reports on labs, medications, allergies, immunizations, etc. • get basic record information • add documents, version them, etc. • store application-specific data not visible to other apps (bookkeeping)
What about sharing? • Carenets: a space for sharing, including documents, apps, and people • An app can be started with a carenet_id instead of a record_id. • The same API calls are available with a carenet_id, but may see only a subset of the data.
4. UI Widgets
Auto-Complete
Auto-Complete def code_lookup(request): client = get_indivo_client(request) query = request.GET['query'] # reformat this for the jQuery autocompleter codes = simplejson.loads( client.lookup_code( coding_system='umls-snomed', parameters= {'q' : query})) formatted_codes = {'query': query, 'suggestions': [c ['full_value'] for c in codes], 'data': codes} return HttpResponse(simplejson.dumps (formatted_codes), mimetype="text/plain")
Auto-Complete <script src="jquery.js"></script> <script src="jquery-ui.js"></script> <script src="jquery.autocomplete.js"></script> <script> $('#problem_fullname').autocomplete({ serviceUrl: 'codelookup', minChars: 2, onSelect: function(value, data) { $('#problem_code').val(data.code); } }); </script>
Sharing & Audit def one_problem(request, problem_id): ... surl_credentials = client.get_surl_credentials() ...
Sharing & Audit <script src="{{SERVER_BASE}}/lib/widgets.js"></script> <script> Indivo.setup('{{INDIVO_UI_SERVER_BASE}}'); </script> <script> Indivo.Auth.setToken("{{token}}","{{secret}}"); Indivo.Widget.DocumentAccess.add('{{record_id}}', '{{problem_id}}'); </script>
Upcoming Features...
Background Apps - most apps don’t need access beyond the user session - we tie the oAuth token to the web session ... unless the user authorizes more
Summary - your app is activated for each record - do the oAuth dance, get an access token - write to the input of the data pipeline, read from the end of the data pipeline, all simple REST+oAuth calls - use built-in widgets to get advanced functionality

Recommended

Indivo X Hospital Connectivity
Indivo X Hospital ConnectivityIndivo X Hospital Connectivity
Indivo X Hospital ConnectivityBen Adida
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
REST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsREST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsyoranbe
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIsJonathan LeBlanc
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeFastly
 
20100305
2010030520100305
20100305Hironobu Koura
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 

Recommended

Indivo X Hospital Connectivity
Indivo X Hospital ConnectivityIndivo X Hospital Connectivity
Indivo X Hospital ConnectivityBen Adida
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
REST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsREST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsyoranbe
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIsJonathan LeBlanc
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeFastly
 
20100305
2010030520100305
20100305Hironobu Koura
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point Thorbjørn Værp
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
SAML 101
SAML 101SAML 101
SAML 101Echoworx
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Helios: web-based truly verifiable voting
Helios: web-based truly verifiable votingHelios: web-based truly verifiable voting
Helios: web-based truly verifiable votingBen Adida
 
Truly Verifiable Elections
Truly Verifiable ElectionsTruly Verifiable Elections
Truly Verifiable ElectionsBen Adida
 
Smart-Indivo App Challenge Webinar
Smart-Indivo App Challenge WebinarSmart-Indivo App Challenge Webinar
Smart-Indivo App Challenge Webinarhealth2dev
 
Secure Voting
Secure VotingSecure Voting
Secure VotingBen Adida
 
Open-Audit Voting
Open-Audit VotingOpen-Audit Voting
Open-Audit VotingBen Adida
 
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert ChannelsEfficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert ChannelsBen Adida
 
Indivo X Overview
Indivo X OverviewIndivo X Overview
Indivo X OverviewBen Adida
 
Helios - Real-World Open-Audit Voting
Helios - Real-World Open-Audit VotingHelios - Real-World Open-Audit Voting
Helios - Real-World Open-Audit VotingBen Adida
 
Cryptography and Voting
Cryptography and VotingCryptography and Voting
Cryptography and VotingBen Adida
 
Voting Security Overview
Voting Security OverviewVoting Security Overview
Voting Security OverviewBen Adida
 

More Related Content

What's hot

Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point Thorbjørn Værp
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 

What's hot (12)

Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
SAML 101
SAML 101SAML 101
SAML 101
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 

Viewers also liked

Helios: web-based truly verifiable voting
Helios: web-based truly verifiable votingHelios: web-based truly verifiable voting
Helios: web-based truly verifiable votingBen Adida
 
Truly Verifiable Elections
Truly Verifiable ElectionsTruly Verifiable Elections
Truly Verifiable ElectionsBen Adida
 
Smart-Indivo App Challenge Webinar
Smart-Indivo App Challenge WebinarSmart-Indivo App Challenge Webinar
Smart-Indivo App Challenge Webinarhealth2dev
 
Secure Voting
Secure VotingSecure Voting
Secure VotingBen Adida
 
Open-Audit Voting
Open-Audit VotingOpen-Audit Voting
Open-Audit VotingBen Adida
 
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert ChannelsEfficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert ChannelsBen Adida
 
Indivo X Overview
Indivo X OverviewIndivo X Overview
Indivo X OverviewBen Adida
 
Helios - Real-World Open-Audit Voting
Helios - Real-World Open-Audit VotingHelios - Real-World Open-Audit Voting
Helios - Real-World Open-Audit VotingBen Adida
 
Cryptography and Voting
Cryptography and VotingCryptography and Voting
Cryptography and VotingBen Adida
 
Voting Security Overview
Voting Security OverviewVoting Security Overview
Voting Security OverviewBen Adida
 

Viewers also liked (10)

Helios: web-based truly verifiable voting
Helios: web-based truly verifiable votingHelios: web-based truly verifiable voting
Helios: web-based truly verifiable voting
 
Truly Verifiable Elections
Truly Verifiable ElectionsTruly Verifiable Elections
Truly Verifiable Elections
 
Smart-Indivo App Challenge Webinar
Smart-Indivo App Challenge WebinarSmart-Indivo App Challenge Webinar
Smart-Indivo App Challenge Webinar
 
Secure Voting
Secure VotingSecure Voting
Secure Voting
 
Open-Audit Voting
Open-Audit VotingOpen-Audit Voting
Open-Audit Voting
 
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert ChannelsEfficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels
 
Indivo X Overview
Indivo X OverviewIndivo X Overview
Indivo X Overview
 
Helios - Real-World Open-Audit Voting
Helios - Real-World Open-Audit VotingHelios - Real-World Open-Audit Voting
Helios - Real-World Open-Audit Voting
 
Cryptography and Voting
Cryptography and VotingCryptography and Voting
Cryptography and Voting
 
Voting Security Overview
Voting Security OverviewVoting Security Overview
Voting Security Overview
 

Similar to How to Build an Indivo X Personal Health App

CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Authentication
AuthenticationAuthentication
Authenticationsoon
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsJeff Fontas
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 

Similar to How to Build an Indivo X Personal Health App (20)

CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
Authentication
AuthenticationAuthentication
Authentication
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Api security
Api security Api security
Api security
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 

Recently uploaded

DIGITAL RADIOGRAPHY-SABBU KHATOON .pptx
DIGITAL RADIOGRAPHY-SABBU KHATOON .pptxDIGITAL RADIOGRAPHY-SABBU KHATOON .pptx
DIGITAL RADIOGRAPHY-SABBU KHATOON .pptxSabbu Khatoon
 
The Orbit & its contents by Dr. Rabia I. Gandapore.pptx
The Orbit & its contents by Dr. Rabia I. Gandapore.pptxThe Orbit & its contents by Dr. Rabia I. Gandapore.pptx
The Orbit & its contents by Dr. Rabia I. Gandapore.pptxDr. Rabia Inam Gandapore
 
TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...
TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...
TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...marcuskenyatta275
 
Video capsule endoscopy (VCE ) in children
Video capsule endoscopy (VCE ) in childrenVideo capsule endoscopy (VCE ) in children
Video capsule endoscopy (VCE ) in childrenRaju678948
 
Dermatome and myotome test & pathology.pdf
Dermatome and myotome test & pathology.pdfDermatome and myotome test & pathology.pdf
Dermatome and myotome test & pathology.pdfniloofarbarzegari76
 
DR. Neha Mehta Best Psychologist.in India
DR. Neha Mehta Best Psychologist.in IndiaDR. Neha Mehta Best Psychologist.in India
DR. Neha Mehta Best Psychologist.in IndiaNehamehta128467
 
Overview on the Automatic pill identifier
Overview on the Automatic pill identifierOverview on the Automatic pill identifier
Overview on the Automatic pill identifierNidhi Joshi
 
Muscle Energy Technique (MET) with variant and techniques.
Muscle Energy Technique (MET) with variant and techniques.Muscle Energy Technique (MET) with variant and techniques.
Muscle Energy Technique (MET) with variant and techniques.Anjali Parmar
 
CT scan of penetrating abdominopelvic trauma
CT scan of penetrating abdominopelvic traumaCT scan of penetrating abdominopelvic trauma
CT scan of penetrating abdominopelvic traumassuser144901
 
Introducing VarSeq Dx as a Medical Device in the European Union
Introducing VarSeq Dx as a Medical Device in the European UnionIntroducing VarSeq Dx as a Medical Device in the European Union
Introducing VarSeq Dx as a Medical Device in the European UnionGolden Helix
 
5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials
5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials
5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materialsSherrylee83
 
Cas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best suppler
Cas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best supplerCas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best suppler
Cas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best supplerSherrylee83
 
Cardiovascular Physiology - Regulation of Cardiac Pumping
Cardiovascular Physiology - Regulation of Cardiac PumpingCardiovascular Physiology - Regulation of Cardiac Pumping
Cardiovascular Physiology - Regulation of Cardiac PumpingMedicoseAcademics
 
THORACOTOMY . SURGICAL PERSPECTIVES VOL 1
THORACOTOMY . SURGICAL PERSPECTIVES VOL 1THORACOTOMY . SURGICAL PERSPECTIVES VOL 1
THORACOTOMY . SURGICAL PERSPECTIVES VOL 1DR SETH JOTHAM
 
CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...
CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...
CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...ocean4396
 
Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?
Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?
Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?DrShinyKajal
 
5cladba raw material 5CL-ADB-A precursor raw
5cladba raw material 5CL-ADB-A precursor raw5cladba raw material 5CL-ADB-A precursor raw
5cladba raw material 5CL-ADB-A precursor rawSherrylee83
 
TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...
TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...
TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...marcuskenyatta275
 
Creating Accessible Public Health Communications
Creating Accessible Public Health CommunicationsCreating Accessible Public Health Communications
Creating Accessible Public Health Communicationskatiequigley33
 
Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...
Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...
Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...PhRMA
 

Recently uploaded (20)

DIGITAL RADIOGRAPHY-SABBU KHATOON .pptx
DIGITAL RADIOGRAPHY-SABBU KHATOON .pptxDIGITAL RADIOGRAPHY-SABBU KHATOON .pptx
DIGITAL RADIOGRAPHY-SABBU KHATOON .pptx
 
The Orbit & its contents by Dr. Rabia I. Gandapore.pptx
The Orbit & its contents by Dr. Rabia I. Gandapore.pptxThe Orbit & its contents by Dr. Rabia I. Gandapore.pptx
The Orbit & its contents by Dr. Rabia I. Gandapore.pptx
 
TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...
TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...
TEST BANK for The Nursing Assistant Acute, Subacute, and Long-Term Care, 6th ...
 
Video capsule endoscopy (VCE ) in children
Video capsule endoscopy (VCE ) in childrenVideo capsule endoscopy (VCE ) in children
Video capsule endoscopy (VCE ) in children
 
Dermatome and myotome test & pathology.pdf
Dermatome and myotome test & pathology.pdfDermatome and myotome test & pathology.pdf
Dermatome and myotome test & pathology.pdf
 
DR. Neha Mehta Best Psychologist.in India
DR. Neha Mehta Best Psychologist.in IndiaDR. Neha Mehta Best Psychologist.in India
DR. Neha Mehta Best Psychologist.in India
 
Overview on the Automatic pill identifier
Overview on the Automatic pill identifierOverview on the Automatic pill identifier
Overview on the Automatic pill identifier
 
Muscle Energy Technique (MET) with variant and techniques.
Muscle Energy Technique (MET) with variant and techniques.Muscle Energy Technique (MET) with variant and techniques.
Muscle Energy Technique (MET) with variant and techniques.
 
CT scan of penetrating abdominopelvic trauma
CT scan of penetrating abdominopelvic traumaCT scan of penetrating abdominopelvic trauma
CT scan of penetrating abdominopelvic trauma
 
Introducing VarSeq Dx as a Medical Device in the European Union
Introducing VarSeq Dx as a Medical Device in the European UnionIntroducing VarSeq Dx as a Medical Device in the European Union
Introducing VarSeq Dx as a Medical Device in the European Union
 
5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials
5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials
5Cladba ADBB 5cladba buy 6cl adbb powder 5cl ADBB precursor materials
 
Cas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best suppler
Cas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best supplerCas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best suppler
Cas 28578-16-7 PMK ethyl glycidate ( new PMK powder) best suppler
 
Cardiovascular Physiology - Regulation of Cardiac Pumping
Cardiovascular Physiology - Regulation of Cardiac PumpingCardiovascular Physiology - Regulation of Cardiac Pumping
Cardiovascular Physiology - Regulation of Cardiac Pumping
 
THORACOTOMY . SURGICAL PERSPECTIVES VOL 1
THORACOTOMY . SURGICAL PERSPECTIVES VOL 1THORACOTOMY . SURGICAL PERSPECTIVES VOL 1
THORACOTOMY . SURGICAL PERSPECTIVES VOL 1
 
CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...
CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...
CAS 110-63-4 BDO Liquid 1,4-Butanediol 1 4 BDO Warehouse Supply For Excellent...
 
Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?
Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?
Case presentation on Antibody screening- how to solve 3 cell and 11 cell panel?
 
5cladba raw material 5CL-ADB-A precursor raw
5cladba raw material 5CL-ADB-A precursor raw5cladba raw material 5CL-ADB-A precursor raw
5cladba raw material 5CL-ADB-A precursor raw
 
TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...
TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...
TEST BANK For Timby's Introductory Medical-Surgical Nursing, 13th Edition by ...
 
Creating Accessible Public Health Communications
Creating Accessible Public Health CommunicationsCreating Accessible Public Health Communications
Creating Accessible Public Health Communications
 
Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...
Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...
Vaccines: A Powerful and Cost-Effective Tool Protecting Americans Against Dis...
 

How to Build an Indivo X Personal Health App

  • 1. How to build an Indivo X Personal Health App Ben Adida Indivo X Users Meeting 15 April 2010
  • 3. Four Steps 1. Scope and framing of your app 2. Authentication and Authorization 3. REST API calls 4. UI widgets
  • 4. Basic Terminology • Account • Record • PHA / User App • Admin App • (Chrome App)
  • 5. 1. Scope Screen Real-Estate controlled by PHA
  • 7. Anatomy of a PHA • name • start URL “Problems” http://problems/auth/start • description • post-auth URL “track your problems” http://problems/auth/after • principal email • consumer key problems@apps.indivo.org 838xdnwk-sdf-werkj34 • data use agreement: • consumer secret what the app intends to do 23lnbls-235lnsdf-2343 with the data it reads from the record.
  • 9. Components Access Token Indivo Server PHA User's Browser
  • 10. OAuth Protocol consumer_token consumer_secret Indivo Server signed PHA (Data Service) HTTP+POX (Consumer) authentication HMAC-SHA1 RSA-SHA1 .... User's Browser
  • 11. With the first click...
  • 12. begin the auth process IFRAME directed to the PHA’s start URL with parameter record_id
  • 13. User's Indivo PHA Browser Server add GET request_token Connection Step (1) token REDIRECT authorize
  • 15. User's Indivo PHA Browser Server REDIRECT authorize Authorization Process Connection Step (2) post-add
  • 16. redirect to app IFRAME directed to the PHA’s post-auth URL which finishes the oAuth process
  • 17. User's Indivo PHA Browser Server post-add GET access_token Connection token Step (3)
  • 18. User's Indivo PHA Browser Server token GET data Interaction Phase data
  • 19. OAuth Request Authorization: OAuth realm="https://indivohealth.org/", oauth_consumer_key="0685bd9184jfhq22", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
  • 20. The code must be awfully complicated ...
  • 21. def get_indivo_client(request, with_token=True): client = IndivoClient(CONSUMER_KEY, CONSUMER_SECRET, INDIVO_SERVER_LOCATION) if with_token: client.update_token(request.session['token']) return client
  • 22. def start_auth(request): client = get_indivo_client(request, with_token=False) # do we have a record_id? record_id = request.GET.get('record_id', None) # prepare request token parameters params = {‘record_id’: record_id} # request a request token request_token = parse_token_from_response( client.post_request_token(data=params)) # store the request token in the session request.session['token'] = request_token # redirect to the UI server return HttpResponseRedirect (settings.INDIVO_UI_SERVER_BASE + '/oauth/authorize? oauth_token=%s' % request_token['oauth_token'])
  • 23. def after_auth(request): # get the token and verifier from the URL parameters # retrieve request token stored in the session client = get_indivo_client(...) # exchange request token for access token access_token = parse_token_from_response (client.post_access_token(data={'oauth_verifier' : oauth_verifier})) # store stuff in the session request.session['access_token'] = access_token # get record ID that came back with token request.session['record_id'] = access_token['xoauth_indivo_record_id'] # go to list of problems return HttpResponseRedirect(reverse(problem_list))
  • 24. 3. REST API Calls
  • 25. get data, e.g. problem list
  • 26. web platform model Access Token Indivo Server PHA User's Browser
  • 27. def problem_list(request): client = get_indivo_client(request) record_id = request.session['record_id'] # get record information record_xml = client.read_record(record_id = record_id) # get problem list from most recent to oldest problems_xml = client.read_problems(record_id = record_id, parameters={'order_by': '-date_onset'})
  • 28. def new_problem(request): # get the variables and create a problem XML params = ... problem_xml = render_raw('problem', params, type='xml') # add the problem client = get_indivo_client(request) client.post_document(record_id = request.session ['record_id'], data=problem_xml) # add a notification client.record_notify(record_id = request.session ['record_id'], data={'content':'a new problem has been added to your problem list'}) return HttpResponseRedirect(reverse(problem_list))
  • 29. Other API calls • get reports on labs, medications, allergies, immunizations, etc. • get basic record information • add documents, version them, etc. • store application-specific data not visible to other apps (bookkeeping)
  • 30. What about sharing? • Carenets: a space for sharing, including documents, apps, and people • An app can be started with a carenet_id instead of a record_id. • The same API calls are available with a carenet_id, but may see only a subset of the data.
  • 33. Auto-Complete def code_lookup(request): client = get_indivo_client(request) query = request.GET['query'] # reformat this for the jQuery autocompleter codes = simplejson.loads( client.lookup_code( coding_system='umls-snomed', parameters= {'q' : query})) formatted_codes = {'query': query, 'suggestions': [c ['full_value'] for c in codes], 'data': codes} return HttpResponse(simplejson.dumps (formatted_codes), mimetype="text/plain")
  • 34. Auto-Complete <script src="jquery.js"></script> <script src="jquery-ui.js"></script> <script src="jquery.autocomplete.js"></script> <script> $('#problem_fullname').autocomplete({ serviceUrl: 'codelookup', minChars: 2, onSelect: function(value, data) { $('#problem_code').val(data.code); } }); </script>
  • 35. Sharing & Audit def one_problem(request, problem_id): ... surl_credentials = client.get_surl_credentials() ...
  • 36. Sharing & Audit <script src="{{SERVER_BASE}}/lib/widgets.js"></script> <script> Indivo.setup('{{INDIVO_UI_SERVER_BASE}}'); </script> <script> Indivo.Auth.setToken("{{token}}","{{secret}}"); Indivo.Widget.DocumentAccess.add('{{record_id}}', '{{problem_id}}'); </script>
  • 38. Background Apps - most apps don’t need access beyond the user session - we tie the oAuth token to the web session ... unless the user authorizes more
  • 39. Summary - your app is activated for each record - do the oAuth dance, get an access token - write to the input of the data pipeline, read from the end of the data pipeline, all simple REST+oAuth calls - use built-in widgets to get advanced functionality