BlueButton+Plus+-++Pull+Code+Samples

include component="page" wikiName="siframework" page="ABBI Header"

OAuth2 Code Samples / Resources
//**From: Adam Goldstein (Mitre)**// Here's some information to respond to the request for OAuth2 code examples. A great place to start is []. It has libraries for Java, PHP, Ruby, and .NET on the server side, and PHP, Cocoa, iOS, Java, Python, Ruby, JavaScript, and .NET libraries on the client side.

A lot of the MITRE open source work is in Rails, which means we often use Devise ([]) and OmniAuth ([]). You can see us using an OmniAuth callback in an example implementation of RHEx here ([|https://github.com/project-rhex/patient-data-server/blob/master/app/controllers/authentications_controller.rb#L10]). You'll need to dive into those libraries for the specific token parsing, but it's a trivial amount of code to do.

You can see where we explicitly request an authorization token in objective-c for hReader here - [|https://github.com/projecthreader/hReader/blob/master/HReader/HRAPIClient.m#L349]. You'll notice that bit of code is assuming a bit about the route from which we're requesting the token, which I'm addressing out on my fork of the project, but the basic mechanic is there. Like I said, it's a very small bit of code to request and parse OAuth2 tokens. Please feel free to contact me or Justin Richer (jricher@mitre.org) with any questions.

//**From: Josh Mandel (SMART)**// On the SMART side we've prototyped a set of static Web apps using OAuth2 "implicit" grants to obtain tokens, and then using bearer tokens to request data from a granular, JSON-based API. Three quick examples to illustrate how the client-side works:

1. [|Requesting Tokens] To obtain tokens, the app redirects to an appropriate authorization server where a user authenticates herself, then authorizes the app to access a single medical record. (Note: TODO the app should also generate some random state, stored in the client, and verify that state is returned in step 2 below.)

2. [|Receiving Tokens] With an implicit grant, tokens come back embedded in a URL hash. This JavaScript code pulls out the access token and stores it in the client.

3 . [|Using Tokens] An example of a Blood Pressure Graphing app embedding the token in a CORS AJAX request to fetch demographics for the patient record in context. (NOTE: TODO the app should embed its OAuth token in an Authorization header rather than a URL parameter.)

//**From: Carlos Eberhardt 2013-01-29 (Apigee)**// One challenge with OAuth 2.0 is that it's not really a spec but sort of a framework. You still need to do the security work to make sure you've built a good OAuth solution. Here are a couple of recent blog posts I've read on the topic that I found useful, in a general sense. Some of this may be good to harvest into the documentation for the providers? The first is fairly generic, the second gets deeper into security considerations.
 * []
 * []

For the application developer side, I think you would be successful mimicking some of the other API content out there. Github's is pretty good, again: [] The trickier side will be explaining the dynamic client registration, but I think if the docs went at it the same way as non-dynamic, it would be fairly easy for a developer to follow. Github even has something a bit like dynamic client registration...could be worth following their lead on how they document that. It's pretty much a plain language "do this" guide.

include component="page" wikiName="siframework" page="ABBI Initiative Contacts" include component="page" wikiName="siframework" page="space.template.inc_contentleft_end"