Home > Launching the IAR Visual App
This section describes the overall process and steps involved for a Client Application to launch the IAR Visual app.
NOTE: The client application must be pre-registered with IAR as a prerequisite prior to launching the IAR Visual App.
The overall sequence of launching the IAR Visual App is shown below. The use case starts immediately after the client application (such as an EMR or HIS) has a patient in context, and requests to view IAR assessments. Typically, there would be a link within the Client Application that would allow the user to launch the IAR Visual App.
Note that the numbers in the diagram correspond with the numbered steps below
From within the client application (i.e. EMR, HIS, portal), the user initiates a request to retrieve IAR assessment data for a patient.
The client application prepares and digitally signs each of two JWTs, one for authentication and the other for authorization. Refer to Authentication and Authorization Tokens for more details.
The user is already authenticated in the Client Application. A link will be exposed on the Client App to allow the user to launch the IAR Visual App. The Client Application has the option of embedding the IAR Visual App within iframe or launching it in a new browser window or tab.
The launch of the IAR Visual App is completed using secure HTTPS with the following mandatory URL parameters:
Parameter | Description |
---|---|
assertion | JWT authorization token generated by the Client Application. Details on how to generate the signed authorization JWT can be found here. |
client_assertion | JWT authentication token generated by the Client Application. Details on how to generate the signed authentication JWT can be found here. |
patient_hcn | 10-digit Ontario Health Card Number used for patient context |
Example of a launch request:
https://{visual app base url}?assertion={signed authorization JWT}&client_assertion{signed authentication JWT}&patient_hcn={patient HCN}
Once the IAR Visual App receives the launch request, it extracts the authentication and authorization JWTs from the request parameters and sends a request to the IAR Authorization Server to validate the tokens.
The IAR FHIR authorization will validate the authorization and authentication JWTs and mediate access accordingly. The IAR authorization server performs the following steps:
If there is an issue with any of the authentication or authorization steps, an appropriate error is displayed in the IAR Visual App.
If authentication and authorization is successful, the IAR Authorization Server creates the OAuth access and refresh tokens. The access token is managed by the IAR Visual App, and is presented to the IAR FHIR server for data requests.
For security reasons, the lifetime of the access token is short lived. As a result, when the access token expires, the refresh token is used by the IAR Visual App to renew the access token. Note that the renewal process is managed by the IAR Visual App, and is seamless to the Client Appilication.
The OAuth access and refresh tokens are returned to the IAR Visual App. These tokens are managed by the IAR Visual App and is used for subsequent requests to the IAR Data API.
The IAR Visual App is launched within the Client Application (either iframe or separate browser tab) is rendered in the browser. During the initital launch, an IAR Terms of Use is displayed and must be accepted before any clinical data is displayed.
Terms of use is accepted by the end user.
NOTE: If the terms of use is rejected, the IAR Visual App will not launch
Using the access token from Step 8, the Visual App sends a FHIR request to the IAR Data API to retrieve the patient's assessments. Only data from the past two years are returned.
IAR Data API validates the access token to ensure that it's valid and has not expired
A patient's IAR assessment data is returned and rendered in the IAR Visual App.
NOTE: If not all of patient's assessments can be displayed due to a consent directive, a warning message will be displayed
Powered by SIMPLIFIER.NET