EHR Connectivity to Ontario eHealth resources.
OSCAR conforms to the eHealth OAUTH 2.0 Integration Specification. This allows for Health Care Providers with OneID credentials to
Use Single Sign On (SSO) to OSCAR. (log in to OSCAR using OneID login)
Access and Submit EHR resources such as DHIR and DHDR.
In order to use this functionality, the clinic will need to engage with eHealth and/or their OSP to get access. Some information will be required in order to configure OSCAR.
Installation
HCP contacts eHealth and provides information required to have a client profile created.
Generate a key pair, and provider eHealth with public key so they can validate signed JWTs
Update properties file. I’ve provided some example data (you’ll have to set your own)
#OAUTH2 / OneID settings
oneid.enabled=true
oneid.oauth2.enabled=true
oneid.oauth2.authorizeUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/authorize
oneid.oauth2.callbackUrl=https://test.oscar.org/oscar/eho/callback.jsp
oneid.oauth2.clientId=OSCAR_EMR_PST_TEST1
oneid.oauth2.tokenUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/access_token
oneid.oauth2.audUrl=https://login.pst.oneidfederation.ehealthontario.ca/sso/oauth2/realms/root/realms/idaaspstoidc/access_token
oneid.oauth2.audUrl1=https://provider.ehealthOntario.ca
Enable OneID/OAUTH2 workflows. You will need to provide the authorize and token URLs and provide a callback URL to eHealth when they setup your client profile. This URL needs to be publicly accessible. Point to your oscar installation /eho/callback.jsp
ClientID is provided by eHealth
The audURLs are used for JWT and are provided by ehealth
oneid.oauth2.keystore=/var/lib/tomcat8/certs/oauth_pst.jks
oneid.oauth2.keystore.password=changeme
oneid.oauth2.keystore.alias=oscar pst
oneid.oauth2.verifyTokens=true
oneid.oauth2.certsUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/connect/jwk_uri
oneid.oauth2.logoutUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/logout
This is your certificate to access oauth2 on the back channel once the callback.jsp is called.
verifyTokens when enabled, will check the signing of all JWTs against public keys
#used to encrypt parameters for logging in
oneid.encryptionKey=0000000000000000
the encryption key here is a 16 character hex string (0-9, A-F). It’s used to sign parameters to log you into OSCAR. You can choose what you want to use; don’t share.
#gateway settings
oneid.consumerKey=<provided_by_ehealth>
oneid.consumerSecret=<provided_by_ehealth>
oneid.gateway.url=https://provider.pst.ehealthontario.ca/api2/fhir/Immunization
oneid.gateway.keystore=/var/lib/tomcat8/certs/pst.jks
oneid.gateway.keystore.password=changeme
oneid.gateway.dhir.submissionUrl=https://provider.pst.ehealthontario.ca/api2/fhir/$process-message
These are the oauth consumer key / secret values and the keystore for accessing the provider gateway (provider gateway is the “hial”, or the gateway to the resources).
#enable DHIR
dhir.enabled=true
#enable CVC
cvc.url=https://cvc.canimmunize.ca/v3
Certificates
Create a key pair (for JWT signing)
convert to P12 file , then extract cert
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem