Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EHR Connectivity to Ontario eHealth resources.

OSCAR conforms to the eHealth OAUTH 2.0 Integration Specification. This allows for Health Care Providers with OneID credentials to

  1. Use Single Sign On (SSO) to OSCAR. (log in to OSCAR using OneID login)

  2. Access and Submit EHR resources such as DHIR and DHDR.

In order to use this functionality, the clinic will need to engage with eHealth and/or their OSP to get access. Some information will be required in order to configure OSCAR.

Installation

  1. HCP contacts eHealth and provides information required to have a client profile created.

  2. Generate a key pair, and provider eHealth with public key so they can validate signed JWTs

  3. Update properties file. I’ve provided some example data (you’ll have to set your own)

#OAUTH2 / OneID settings
oneid.enabled=true
oneid.oauth2.enabled=true
oneid.oauth2.authorizeUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/authorize

oneid.oauth2.callbackUrl=https://test.oscar.org/oscar/eho/callback.jsp
oneid.oauth2.clientId=OSCAR_EMR_PST_TEST1

oneid.oauth2.tokenUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/access_token

oneid.oauth2.audUrl=https://login.pst.oneidfederation.ehealthontario.ca/sso/oauth2/realms/root/realms/idaaspstoidc/access_token
oneid.oauth2.audUrl1=https://provider.ehealthOntario.ca

Enable OneID/OAUTH2 workflows. You will need to provide the authorize and token URLs and provide a callback URL to eHealth when they setup your client profile. This URL needs to be publicly accessible. Point to your oscar installation /eho/callback.jsp

ClientID is provided by eHealth

The audURLs are used for JWT and are provided by ehealth

oneid.oauth2.keystore=/var/lib/tomcat8/certs/oauth_pst.jks
oneid.oauth2.keystore.password=changeme
oneid.oauth2.keystore.alias=oscar pst
oneid.oauth2.verifyTokens=true

oneid.oauth2.certsUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/connect/jwk_uri
oneid.oauth2.logoutUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/logout

This is your certificate to access oauth2 on the back channel once the callback.jsp is called.

verifyTokens when enabled, will check the signing of all JWTs against public keys

#used to encrypt parameters for logging in
oneid.encryptionKey=0000000000000000

the encryption key here is a 16 character hex string (0-9, A-F). It’s used to sign parameters to log you into OSCAR. You can choose what you want to use; don’t share.

#gateway settings
oneid.consumerKey=<provided_by_ehealth>
oneid.consumerSecret=<provided_by_ehealth>
oneid.gateway.url=https://provider.pst.ehealthontario.ca/api2/fhir/Immunization
oneid.gateway.keystore=/var/lib/tomcat8/certs/pst.jks
oneid.gateway.keystore.password=changeme

oneid.gateway.dhir.submissionUrl=https://provider.pst.ehealthontario.ca/api2/fhir/$process-message

These are the oauth consumer key / secret values and the keystore for accessing the provider gateway (provider gateway is the “hial”, or the gateway to the resources).

#enable DHIR
dhir.enabled=true

#enable CVC
cvc.url=https://cvc.canimmunize.ca/v3

Certificates

Create a key pair (for JWT signing)

convert to P12 file , then extract cert

openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem