Skip to content

Commit

Permalink
Describe the use of the traceparent header
Browse files Browse the repository at this point in the history
Fixes #143
  • Loading branch information
qligier committed Feb 29, 2024
1 parent 8e85baf commit 76a239c
Show file tree
Hide file tree
Showing 15 changed files with 94 additions and 5 deletions.
5 changes: 5 additions & 0 deletions input/ch.fhir.ig.ch-epr-mhealth.xml
Original file line number Diff line number Diff line change
Expand Up @@ -597,6 +597,11 @@ Relationship in the Swiss examples (CN=CommunityA:00000001001,OU=Relationship,DC
<title value="Sequence Diagrams"/>
<generation value="markdown"/>
</page>
<page>
<nameUrl value="tracecontext.html"/>
<title value="Trace Context"/>
<generation value="markdown"/>
</page>
<page>
<nameUrl value="openissues.html"/>
<title value="Open Issues / Change Log"/>
Expand Down
3 changes: 2 additions & 1 deletion input/fsh/ex-audit-65.fsh
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,5 @@ Usage: #example
* entity[submissionSet].role = http://terminology.hl7.org/CodeSystem/object-role#20 "Job"
* entity[submissionSet].what.identifier.system = "urn:ietf:rfc:3986"
* entity[submissionSet].what.identifier.value = "urn:oid:1.3.6.1.4.1.12559.11.13.2.6.2949"

* entity[+].what.identifier.value = "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01"
* entity[=].type = https://profiles.ihe.net/ITI/BALP/CodeSystem/BasicAuditEntityType#Traceparent
3 changes: 3 additions & 0 deletions input/includes/menu.xml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@
<li>
<a href="sequencediagrams.html">Sequence diagrams</a>
</li>
<li>
<a href="tracecontext.html">Trace Context</a>
</li>
<li>
<a href="openissues.html">Open Issues / Change Log</a>
</li>
Expand Down
2 changes: 1 addition & 1 deletion input/pagecontent/iti-103.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ There are no CapabilityStatement resources defined for this transaction.

### Security Consideration

There are no special security requirements for this transaction.
The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

Expand Down
3 changes: 3 additions & 0 deletions input/pagecontent/iti-104.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ Add Patient [Franz Muster](Patient-PatientPIXmFeed.json.html):
PUT http://example.org/fhir/Patient?identifier=urn:oid:2.16.756.888888.3.1|8734 HTTP/1.1
Accept: application/fhir+json
Content-Type: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
{
"resourceType" : "Patient",
Expand Down Expand Up @@ -120,6 +121,8 @@ Patient Identifier Cross-reference Manager using the IUA profile with basic acce
the _Patient Identity Feed FHIR_ [ITI-104] request must authorize using the
[_Incorporate Access Token_ [ITI-72]](iti-72.html) transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

##### Patient Identity Source Audit
Expand Down
2 changes: 2 additions & 0 deletions input/pagecontent/iti-20.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,5 @@ The CapabilityStatement resource for the **Audit Record Repository** is
### Security Consideration

TLS SHALL be used.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).
2 changes: 2 additions & 0 deletions input/pagecontent/iti-65.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ Document Recipient using the IUA profile with extended access token. Consequentl
the _Provide Document Bundle_ [ITI-65] request must authorize using the [_Incorporate Access Token_ [ITI-72]](iti-72.html)
transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

##### Document Source Audit
Expand Down
3 changes: 3 additions & 0 deletions input/pagecontent/iti-66.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ _Find Document List_ example **request**:
```
GET [base]/List?patient.identifier=urn:oid:2.999|11111111 HTTP/1.1
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```

#### Find Document Lists Response Message
Expand All @@ -53,6 +54,8 @@ TLS SHALL be used. This national extension enforces authentication and authoriza
Responder using the IUA profile with extended access token. Consequently the _Find Document Lists_ [ITI-66] request
must authorize using the [_Incorporate Access Token_ [ITI-72]](iti-72.html) transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

##### Document Consumer Audit
Expand Down
1 change: 1 addition & 0 deletions input/pagecontent/iti-67.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ _Find Document Reference_ example **request**:
```
GET [base]/DocumentReference?patient.identifier=urn:oid:2.999|11111111 HTTP/1.1
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```

#### Find Document References Response Message
Expand Down
2 changes: 2 additions & 0 deletions input/pagecontent/iti-68.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ Document Responder using the IUA profile with extended access token. Consequentl
the _Retrieve Document_ [ITI-68] request must authorize using the [_Incorporate Access Token_ [ITI-72]](iti-72.html)
transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

##### Document Consumer Audit
Expand Down
2 changes: 2 additions & 0 deletions input/pagecontent/iti-71.md
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,8 @@ There are no CapabilityStatement resources defined for this transaction.
IUA Authorization Clients, Authorization Servers and Resource Server actors SHALL use the JWS (signed) alternative
of the JWT token as specified in the IUA Trial Implementation. The JWE alternative SHALL not be used.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

There is no audit event required for this transaction.
4 changes: 4 additions & 0 deletions input/pagecontent/iti-78.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ Query for a patient with name Muster and birthdate 1995-01-27.
```
GET [base]/Patient?name=Muster&birthdate=1995-01-27
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```
[Example response to above query](Bundle-PDQm-QueryResponse.json.html)

Expand All @@ -57,6 +58,7 @@ Query for a patient with name M returning too many results:
```
GET [base]/Patient?name=M
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```
[Example response to above query](Bundle-PDQm-QueryResponseTooManyResults.json.html)

Expand Down Expand Up @@ -88,6 +90,8 @@ Patient Identifier Cross-reference Manager using the IUA profile with basic acce
the _Mobile Patient Identifier Cross-reference Query_ [ITI-83] request must authorize using the
[_Incorporate Access Token_ [ITI-72]](iti-72.html) transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

##### Patient Demographics Consumer Audit
Expand Down
7 changes: 6 additions & 1 deletion input/pagecontent/iti-83.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,10 @@ Query for a patient with a local id of 123 by AssigningAuthority oid 1.2.3 which
community where the Assigning Authority is oid 5.6.7 and the MPI-PID and EPR-SPID are requested:

```
GET [base]/Patient/$ihe-pix?sourceIdentifier=urn:oid:2.999.1.2.3|123&targetSystem=urn:oid:2.999.5.6.7&targetSystem=urn:oid:2.16.756.5.30.1.127.3.10.3
GET [base]/Patient/$ihe-pix?sourceIdentifier=urn:oid:2.999.1.2.3|123&targetSystem=urn:oid:2.999.5.6.7&targetSystem=urn:oid:2.16.756.5.30.1.127.3.10.3 HTTP/1.1
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```

#### Response message
Expand Down Expand Up @@ -109,6 +112,8 @@ Patient Identifier Cross-reference Manager using the IUA profile with basic acce
the _Mobile Patient Identifier Cross-reference Query_ [ITI-83] request must authorize using the
[_Incorporate Access Token_ [ITI-72]](iti-72.html) transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

##### Patient Identifier Cross-reference Consumer Audit
Expand Down
10 changes: 8 additions & 2 deletions input/pagecontent/iti-90.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,17 @@ The _Find Matching Care Services_ message is a FHIR search operation on the mCSD
A _Care Services Selective Consumer_ initiates a search request using HTTP GET or POST:

```
GET [base]/[resource]?[parameters]
GET [base]/[resource]?[parameters] HTTP/1.1
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```

or

```
POST [base]/[resource]/_search
POST [base]/[resource]/_search HTTP/1.1
Accept: application/fhir+json
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
Content-Type: application/x-www-form-urlencoded
param1=value&param2=value
Expand Down Expand Up @@ -158,6 +162,8 @@ TLS SHALL be used. This national extension enforces authentication and authoriza
Selective Supplier_ using the IUA profile with basic access token. Consequently, the _Find Matching Care Services_
[ITI-90] request must authorize using the [_Incorporate Access Token_ [ITI-72]](iti-72.html) transaction of the IUA profile.

The `traceparent` header is required, as described in [Trace Context header](tracecontext.html).

#### Security Audit Considerations

Note that the same audit message is recorded by both **Care Services Selective Supplier** and **Care Services
Expand Down
50 changes: 50 additions & 0 deletions input/pagecontent/tracecontext.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
### Trace Context header

For all transaction described in this implementation guide, the HTTP `traceparent` header is required. This header
is defined in the [W3C Trace Context Recommendation](https://www.w3.org/TR/trace-context/).

The header value is made of four parts separated by dashes: the **version**, **trace-id**, **parent-id** and
**trace-flags**. For example:

```http
GET /request HTTP/1.1
traceparent: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00
```

- The **version** is currently set to `00`.
- The **trace-id** is a unique identifier for this transaction instance (i.e. an HTTP request and its response).
It is a 16-byte array encoded as 32 hexadecimal characters, all lowercase.
- The **parent-id** is a unique identifier for this message. It is an 8-byte array, encoded as 16 hexadecimal
characters, all lowercase.
- The **trace-flags** is used to communicate tracing flags with the consumer. This implementation guide specifies no
requirements for this field, it is recommended using the value `00`.

Each actor shall support the `traceparent` header. Grouped actors shall use the same **trace-id** value to correlate
IHE transactions.

##### Audit event requirements

The `traceparent` header value of the generated message SHALL be added to the generated Audit Event: for the client,
the header value of the request; for the responder, the header value of the response.
It is described as an `AuditEvent.entity`, with the system
`https://profiles.ihe.net/ITI/BALP/CodeSystem/BasicAuditEntityType#Traceparent`, as demonstrated below.

```json
{
"resourceType" : "AuditEvent",
/* Rest of the AuditEvent */
"entity" : [
{
"what" : {
"identifier" : {
"value" : "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-00"
}
},
"type" : {
"system" : "https://profiles.ihe.net/ITI/BALP/CodeSystem/BasicAuditEntityType",
"code" : "Traceparent"
}
}
]
}
```

0 comments on commit 76a239c

Please sign in to comment.