Home > Implementation Guidance > Connectivity
Connectivity
Client systems will be required to connect to the ONE Access Gateway in order to access provincial FHIR based interfaces including OLIS FHIR APIs. The Gateway will authorize Point of Service (PoS) applications to access the provincial OLIS repository to search and retrieve lab records. Connectivity to the Ontario OLIS FHIR service through the Gateway requires consumer implementation of a ONE ID Public Key Infrastructure (PKI) certificate and OAuth2/OpenID Connect authorization and authentication protocols.
To support connectivity to the ONE Access Gateway, please refer to the documentation below:
ONE Access Gateway Transport Specification Download Link
ONE ID OpenID Connect Specification Download Link
Token requirements and specs:
Please note that the base standards have many of claims/parameters optional to achieve best interoperability and cover broader use cases. However, Ontario Health will make most of registered claim/parameter mandatory and to be validated to enhance security.
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://openid.net/specs/openid-heart-oauth2-1_0.html#JWTBearerTokens
Table: JWT Query Data
Data Element | Definition | Type | Optionality | Length | Example |
---|---|---|---|---|---|
version | Version of the introspection response | ST | Mandatory | 1..10 | 1.0 |
uao | The identifier of individual or organization | ST | Mandatory | 1..20 | UPI123456 |
uaoType | Individual or Organization | ST | Mandatory | 1..20 | org or person |
uaoName | The name of the UAO (Under Authority Of) | ST | Mandatory | 1..75 | John Smith or North York General |
given_name | First name of the person on a keyboard | ST | Mandatory | 1..30 | John |
family_name | Last name of the person on a keyboard | ST | Mandatory | 1..45 | Smith |
rid | License number- present if the user is a licensed provider otherwise it should be empty | ST | Optional | 1..20 | cpso:123 |
sub | The login ID of the user initiating the login request-person on a keyboard | ST | Mandatory | 1..50 | id-iqT8SOKInhlsCsNd-Cemqk—Hjo- |
idp | Identify provider- work with eHealth Ontario to assign IDP | ST | Mandatory | 1..50 | 2.16.840.1.113883.3.239.23.99999 |
obo | License of the HIC working on behalf of | ST | Optional | 1..20 | cpso:456 |
aud | Identifier of the user. Should represent the same value as the one present in the FHIR query string (url of the Provider Gateway) | ST | Mandatory | 1..255 | https://onegateway.ehealthontario.ca |
scope | SMART on FHIR scopes. For COVID query, use space delimited value that includes "filter/covid-19" | ST | Mandatory | 1..1024 | user/Observation.read For COVID query, it can be "user/Observation.read filter/covid-19" |
profile | Identifies the specific EHR asset the request is directed. | ST | Mandatory | 1..1024 | http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport |
iss | Issuer, ONE ID or token signer | ST | Mandatory | 1..256 | https://federationbroker.ehealthontario.ca/fed/oidc |
jti | Unique Token ID- will be generated by issuer | ST | Mandatory | 1..40 | 2402f87c-b6ce-45c4-95b0-7a3f2904997f |
exp | Token expiration time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) | NM | Mandatory | 1..20 | 1444147166 |
azp | The name of the application used for the access | ST | Mandatory | 1..50 | https://olisviewlet.ehealthontario.ca |
iat | Issued time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) | NM | Mandatory | 1..20 | 1444143566 |
cntx_ssn | Context session ID | ST | Optional | 1..20 | 5443234343243432 |
active | Status of the token | Boolean | Mandatory | true | |
location | Location of the EMR | ST | Optioanl | 1..20 |
Samples:
Introspection response: Note the response body is a JSON object with flat parameters describing the token. We can also choose to embed ID Token with "id_token" parameter inside the JSON object.
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"iss": "https://federationbroker.ehealthontario.ca/fed/oidc",
"aud": "https://provider.ehealthontario.ca",
"azp": "https://olisviewlet.ehealthontario.ca",
"sub": "id-iqT8SOKInhlsCsNd-Cemqk—Hjo-",
"scope": "user/Observation.read filter/COVID19",
"iat": 1444143566,
"exp": 1444147166,
"jti": "2402f87c-b6ce-45c4-95b0-7a3f2904997f",
"token_type": "bearer",
"client_id": "https://olisviewlet.ehealthontario.ca",
"uao": "2.16.840.1.113883.3.239.9:1234567890123",
"uaoType ": "org",
"uaoName": "North York General",
"given_name": "John",
"family_name": "Smith",
"rid": "2.16.840.1.113883.4.347:123",
"email": "john.smith@northyorkgeneral.ca",
"Idp": "2.16.840.1.113883.3.239.23.99999",
"obo": 2.16.840.1.113883.4.347:456",
“profile”:”http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport”,
“version”:”1.0”,
“cntx_ssn”:”5443234343243432”
}
Inactive token response: Inactive token response will only contain the inactive status of false as follows:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}