Skip to content

SMART on FHIR Token Introspection Endpoint #5257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mikaelweave wants to merge 39 commits into
base: main
Choose a base branch
from
Open

SMART on FHIR Token Introspection Endpoint #5257

mikaelweave wants to merge 39 commits into from

Conversation

@mikaelweave
Copy link
Contributor

@mikaelweave mikaelweave commented Dec 3, 2025
edited by azure-boards bot
Loading

Description

Implements RFC 7662 token introspection endpoint at /connect/introspect for SMART on FHIR server with swapple support for the introspection endpoint for alternate SMART configurations.

Key Features:

  • RFC 7662 compliant introspection endpoint supporting both OpenIddict (development) and external IdP tokens
  • Service abstraction pattern (ITokenIntrospectionService) enabling alternate authentication patterns
  • SMART on FHIR v1/v2 claim support (patient, fhirUser, raw_scope)
  • Bearer token authentication required via [Authorize] attribute
  • Integrated with existing audit logging infrastructure
  • Handles issuer variations (with/without trailing slash) for OpenIddict compatibility

Related issues

Addresses AB#174822

Testing

  • Unit Tests (12 tests - all passing):
  • Manual Testing

Test Coverage:

  • Controller layer: Parameter validation, HTTP status codes
  • Service layer: Token parsing, validation, claim extraction
  • Integration: Audit logging, authentication filters

FHIR Team Checklist

  • Update the title of the PR to be succinct and less than 65 characters
  • Add a milestone to the PR for the sprint that it is merged (i.e. add S47)
  • Tag the PR with the type of update: Bug, Build, Dependencies, Enhancement, New-Feature or Documentation
  • Tag the PR with Open source, Azure API for FHIR (CosmosDB or common code) or Azure Healthcare APIs (SQL or common code) to specify where this change is intended to be released.
  • Tag the PR with Schema Version backward compatible or Schema Version backward incompatible or Schema Version unchanged if this adds or updates Sql script which is/is not backward compatible with the code.
  • When changing or adding behavior, if your code modifies the system design or changes design assumptions, please create and include an ADR.
  • CI is green before merge Build Status
  • Review squash-merge requirements

Semver Change (docs)

Patch|Skip|Feature|Breaking (reason)

@mikaelweave mikaelweave changed the title Personal/mikaelw/smart token introspection endpoint SMART on FHIR Token Introspection Endpoint Dec 3, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 3, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 5, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 6, 2025
View reviewed changes
@mikaelweave
Refactor token introspection service and tests
2d77cc8 
Updated `DefaultTokenIntrospectionService` to use `IHttpClientFactory` for managing `HttpClient` instances and initialized a shared `ConfigurationManager` for OpenID Connect configurations. Removed inline `ConfigurationManager` instantiation in token validation logic for consistency.

Enhanced `TokenIntrospectionControllerTests` by mocking `IHttpClientFactory` with `NSubstitute` to support the updated service constructor. Refactored `TokenIntrospectionTests` to improve handling of unauthenticated requests, added skipping logic for in-process test servers, and leveraged existing test infrastructure.

Removed `[Consumes]` attribute from `TokenIntrospectionController` to simplify content type handling. Replaced synchronous calls with asynchronous token validation to align with best practices. Added logging and validation for `httpClientFactory` dependency. Updated namespaces across files to support new functionality.
@mikaelweave
Remove test for unsupported content type in introspection
f977da1 
The test `GivenContentTypeNotFormEncoded_WhenIntrospecting_ThenReturnsUnsupportedMediaType` was removed from `TokenIntrospectionTests.cs`.

This test validated that the introspection endpoint returned `UnsupportedMediaType` when the content type was not `application/x-www-form-urlencoded` (per RFC 7662). Its removal suggests that this behavior is no longer relevant or required in the codebase.

Other tests, such as `GivenMultipleValidTokens_WhenIntrospecting_ThenEachReturnsCorrectClaims`, remain unchanged.
@mikaelweave mikaelweave marked this pull request as ready for review December 8, 2025 17:25
@mikaelweave mikaelweave requested a review from a team as a code owner December 8, 2025 17:25
@mikaelweave
Refactor validation logic and update introspection auth
0b6cd2b 
Refactored `ValidateFormatParametersAttribute` to improve modularity by introducing `ShouldIgnoreValidation` for skipping validation on specific paths (e.g., `/CustomError`). Enhanced `Content-Type` validation for `POST`, `PUT`, and `PATCH` requests with better error handling for unsupported or missing headers.

Updated `TokenIntrospectionController` to remove the `[Authorize]` attribute, allowing unauthenticated access to `/connect/introspect`. Added `[Consumes("application/x-www-form-urlencoded")]` to specify the expected content type.

Removed a skipped test case and related code in `TokenIntrospectionTests` that validated unauthorized access to the token introspection endpoint, aligning with the updated authentication behavior.
@mikaelweave mikaelweave force-pushed the personal/mikaelw/smart-token-introspection-endpoint branch from 6b7008b to 5b23a53 Compare December 9, 2025 13:16
@mikaelweave
Copy link
Contributor Author

mikaelweave commented Dec 9, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Dec 9, 2025

Azure Pipelines successfully started running 1 pipeline(s).

mikaelweave and others added 3 commits December 9, 2025 11:05
@mikaelweave
Refactor token request handling in Token Introspection tests for impr…
4931b4d 
…oved clarity and maintainability
@mikaelweave @github-advanced-security
Potential fix for code scanning alert no. 2964: Missing Dispose call …
5e497a5 
…on local IDisposable

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mikaelweave
Refactor JSON access in TokenIntrospectionTests
a6c28ed 
Switch to TryGetValue for safer JSON field access in TokenIntrospectionTests, replacing ContainsKey/indexer usage. Also remove the unused _testFhirClient field for code clarity.
@mikaelweave mikaelweave added Azure API for FHIR Label denotes that the issue or PR is relevant to the Azure API for FHIR Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs labels Dec 9, 2025
mikaelweave
mikaelweave commented Dec 11, 2025
View reviewed changes
build/jobs/e2e-tests.yml
'app_globalReaderUserApp_secret': $(app_globalReaderUserApp_secret)
'app_globalWriterUserApp_id': $(app_globalWriterUserApp_id)
'app_globalWriterUserApp_secret': $(app_globalWriterUserApp_secret)
'app_smartUserClient_id': $(app_smartUserClient_id)
Copy link
Contributor Author

@mikaelweave mikaelweave Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needed for E2E tests that use SMART client

mikaelweave
mikaelweave commented Dec 11, 2025
View reviewed changes
build/jobs/provision-deploy.yml
serviceName = $webAppName
keyVaultName = "${{ parameters.keyVaultName }}".ToLower()
securityAuthenticationAuthority = "https://login.microsoftonline.com/$(tenant-id)"
securityAuthenticationAuthority = "https://sts.windows.net/$(tenant-id-guid)"
Copy link
Contributor Author

@mikaelweave mikaelweave Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our test env has been using an invalid authority for ... not sure how long. I reuse the authority in the OSS service to check the token so I had to fix the authority.

mikaelweave
mikaelweave commented Dec 11, 2025
View reviewed changes
src/Microsoft.Health.Fhir.Api/Features/Security/DefaultTokenIntrospectionService.cs
/// Default implementation of token introspection for OSS (single authority/audience).
/// PaaS can extend this class and override ValidateToken() to support multiple authorities.
/// </summary>
public class DefaultTokenIntrospectionService : ITokenIntrospectionService
Copy link
Contributor Author

@mikaelweave mikaelweave Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note - this service can be overriden downstream for token validation

mikaelweave and others added 5 commits December 22, 2025 21:54
@mikaelweave
Refactor token introspection to be fully async
edc90bb 
Converted all token introspection logic, endpoints, and tests to use async/await patterns. Updated ITokenIntrospectionService and DefaultTokenIntrospectionService to provide asynchronous methods. The controller endpoint now supports CancellationToken and awaits the introspection service. Replaced blocking OpenID Connect configuration retrieval with async calls. Updated all related unit tests to be asynchronous. These changes improve scalability and follow best practices for I/O-bound operations in ASP.NET Core.
@mikaelweave
Refactor token introspection endpoint to remove unused cancellation t…
5cf5776 
…oken parameter
@mikaelweave
Merge branch 'main' into personal/mikaelw/smart-token-introspection-e…
7ae0d86 
…ndpoint
@mikaelweave
Refactor token introspection tests; add test configs
63c00b8 
Refactored TokenIntrospectionControllerTests to use a mocked ITokenIntrospectionService, removing direct JWT creation and cryptographic logic for simpler, more focused tests. Added a test to verify service invocation. Removed unused helpers and IDisposable. Updated .NET SDK version to 9.0.308. Added .runsettings and launchSettings.json files with environment variables for E2E and integration test configuration.
@mikaelweave
Merge branch 'personal/mikaelw/smart-token-introspection-endpoint' of h…
28cc5cc 
…ttps://github.com/microsoft/fhir-server into personal/mikaelw/smart-token-introspection-endpoint
@mikaelweave
Copy link
Contributor Author

mikaelweave commented Dec 28, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Dec 28, 2025

Azure Pipelines successfully started running 1 pipeline(s).

mikaelweave and others added 3 commits January 4, 2026 20:53
@mikaelweave
Remove token expiration check from introspection service; update test…
654340c 
… to include authorization header
@mikaelweave
Add default scope claim names and configure OIDC HttpClient for token…
7fef30c 
… introspection
@mikaelweave
Refactor pipeline: remove keyVault param, update AAD URL
ac32d0d 
- Remove keyVaultName parameter and related logic from provision-deploy.yml.
- Update Azure AD authority URL to use login.microsoftonline.com.
- Add logic to restore Key Vaults in removed state before provisioning.
- Eliminate retry helper usage for Cosmos DB and NSP steps; use direct cmdlets.
- Remove inclusion of provision-healthcheck.yml template.
- Clean up comment in DevelopmentIdentityProviderRegistrationExtensions.cs.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2026
View reviewed changes
mikaelweave and others added 2 commits January 9, 2026 12:46
@mikaelweave @github-advanced-security
Potential fix for code scanning alert no. 3128: Missed 'using' opport…
5f4d87a 
…unity

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mikaelweave
fix: update security authentication authority and enhance token intro…
6f942ad 
…spection tests with detailed assertions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Azure API for FHIR Label denotes that the issue or PR is relevant to the Azure API for FHIR Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs Enhancement Enhancement on existing functionality.

Projects

None yet

Milestone

FY26\Q2\2Wk\2Wk12

Development

Successfully merging this pull request may close these issues.

2 participants

@mikaelweave