{
"description": null,
"_filename": "StructureDefinition-TokenIntrospector.json",
"package_name": "io.health-samurai.core.r4",
"date": null,
"derivation": "specialization",
"publisher": null,
"fhirVersion": "4.0.1",
"name": "TokenIntrospector",
"abstract": false,
"type": "TokenIntrospector",
"experimental": null,
"resourceType": "StructureDefinition",
"title": null,
"package_version": "0.2601.0",
"status": "active",
"id": "c7797888-8055-4cb4-bf61-14febf349a88",
"kind": "resource",
"url": "http://health-samurai.io/fhir/core/StructureDefinition/TokenIntrospector",
"version": "0.2601.0",
"differential": {
"element": [ {
"id": "TokenIntrospector",
"max": "*",
"min": 0,
"path": "TokenIntrospector",
"constraint": [ {
"key": "cont-11",
"human": "When type equals 'jwt' resource.jwt must be present",
"severity": "error",
"expression": "(%resource.type = 'jwt') implies %resource.jwt.exists()"
}, {
"key": "cont-12",
"human": "When 'jwks_uri' present resource.jwt.iss must be present as well",
"severity": "error",
"expression": "%resource.jwks_uri.exists() implies %resource.jwt.iss.exists()"
} ]
}, {
"id": "TokenIntrospector.type",
"max": "1",
"min": 1,
"path": "TokenIntrospector.type",
"type": [ {
"code": "string"
} ],
"short": "Specifies the type of token to introspect.",
"constraint": [ {
"key": "enum-1007",
"human": "Type must be one of: opaque, jwt, aspxauth",
"severity": "error",
"expression": "%context.subsetOf('opaque' | 'jwt' | 'aspxauth')"
} ]
}, {
"id": "TokenIntrospector._source",
"max": "1",
"min": 0,
"path": "TokenIntrospector._source",
"type": [ {
"code": "string"
} ],
"short": "System Property. DO NOT USE IT."
}, {
"id": "TokenIntrospector.jwks_uri",
"max": "1",
"min": 0,
"path": "TokenIntrospector.jwks_uri",
"type": [ {
"code": "string"
} ],
"short": "A URL pointing to a JSON Web Key Set (JWKS). When type is jwt the introspector retrieves public keys from this URI to validate token signatures."
}, {
"id": "TokenIntrospector.jwt",
"max": "1",
"min": 0,
"path": "TokenIntrospector.jwt",
"type": [ {
"code": "BackboneElement"
} ],
"short": "Configuration for local JWT validation used when type is jwt.",
"constraint": [ {
"key": "cont-10",
"human": "Exactly one of jwt.secret or jwt.keys or jwks_uri with jwt.iss MUST be present",
"severity": "error",
"expression": "(%context.secret.exists() xor %context.keys.exists() xor (%context.iss.exists() and %resource.jwks_uri.exists())) and (%context.secret.exists() and %context.keys.exists() and %context.iss.exists() and %resource.jwks_uri.exists()).not()"
} ]
}, {
"id": "TokenIntrospector.jwt.iss",
"max": "1",
"min": 0,
"path": "TokenIntrospector.jwt.iss",
"type": [ {
"code": "string"
} ],
"short": "The expected issuer (iss) claim value for JWTs. The TokenIntrospector ensures that tokens it validates come from this issuer."
}, {
"id": "TokenIntrospector.jwt.secret",
"max": "1",
"min": 0,
"path": "TokenIntrospector.jwt.secret",
"type": [ {
"code": "string"
} ],
"short": "A shared secret key or other signing key material used to verify the JWT's signature."
}, {
"id": "TokenIntrospector.jwt.keys",
"max": "*",
"min": 0,
"path": "TokenIntrospector.jwt.keys",
"type": [ {
"code": "BackboneElement"
} ],
"short": "The set of keys to use for validation."
}, {
"id": "TokenIntrospector.jwt.keys.k",
"max": "1",
"min": 0,
"path": "TokenIntrospector.jwt.keys.k",
"type": [ {
"code": "string"
} ],
"short": "The symmetric key to use for validation."
}, {
"id": "TokenIntrospector.jwt.keys.pub",
"max": "1",
"min": 0,
"path": "TokenIntrospector.jwt.keys.pub",
"type": [ {
"code": "string"
} ],
"short": "The asymmetric key to use for validation."
}, {
"id": "TokenIntrospector.jwt.keys.kty",
"max": "1",
"min": 1,
"path": "TokenIntrospector.jwt.keys.kty",
"type": [ {
"code": "string"
} ],
"short": "The key type to use for validation.",
"constraint": [ {
"key": "enum-1160",
"human": "Key type must be one of: RSA, EC, OCT",
"severity": "error",
"expression": "%context.subsetOf('RSA' | 'EC' | 'OCT')"
} ]
}, {
"id": "TokenIntrospector.jwt.keys.alg",
"max": "1",
"min": 1,
"path": "TokenIntrospector.jwt.keys.alg",
"type": [ {
"code": "string"
} ],
"short": "The algorithm to use for validation.",
"constraint": [ {
"key": "enum-1161",
"human": "Algorithm must be one of: RS256, RS384, ES256, HS256",
"severity": "error",
"expression": "%context.subsetOf('RS256' | 'RS384' | 'ES256' | 'HS256')"
} ]
}, {
"id": "TokenIntrospector.jwt.keys.format",
"max": "1",
"min": 1,
"path": "TokenIntrospector.jwt.keys.format",
"type": [ {
"code": "string"
} ],
"short": "The format of the key to use for validation. 'plain' for symmetric algs (HS256) and 'PEM' for all asymmetric algs",
"constraint": [ {
"key": "enum-1162",
"human": "Format must be one of: PEM, plain",
"severity": "error",
"expression": "%context.subsetOf('PEM' | 'plain')"
} ]
}, {
"id": "TokenIntrospector.introspection_endpoint",
"max": "1",
"min": 0,
"path": "TokenIntrospector.introspection_endpoint",
"type": [ {
"code": "BackboneElement"
} ],
"short": "Remote introspection endpoint configuration."
}, {
"id": "TokenIntrospector.introspection_endpoint.url",
"max": "1",
"min": 0,
"path": "TokenIntrospector.introspection_endpoint.url",
"type": [ {
"code": "string"
} ],
"short": "The fully qualified URL of the remote introspection endpoint."
}, {
"id": "TokenIntrospector.introspection_endpoint.authorization",
"max": "1",
"min": 0,
"path": "TokenIntrospector.introspection_endpoint.authorization",
"type": [ {
"code": "string"
} ],
"short": "The authorization header value."
}, {
"id": "TokenIntrospector.identity_provider",
"max": "1",
"min": 0,
"path": "TokenIntrospector.identity_provider",
"type": [ {
"code": "Reference",
"targetProfile": [ "http://health-samurai.io/fhir/core/StructureDefinition/IdentityProvider" ]
} ],
"short": "Link to Identity provider associated with the token introspector."
} ]
},
"baseDefinition": "http://hl7.org/fhir/StructureDefinition/DomainResource"
}