diff --git a/README.md b/README.md
index 729c984..244ef1d 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,11 @@ Diese wird in VauMessage 4 gespeichert und zurück zum Client geschickt.
Der Client öffnet die Nachricht, entschlüsselt die Ciphertext-KeyConfirmation und vergleicht wieder den erhalten Hash mit selbst berechneten.
Erst dann ist der Handshake abgeschlossen.
+## Nutzung mit den APIs des Aktensystems
+
+Unter Verwendung der Klasse `VauHttpClientHandler` lassen sich Aufrufe des Aktensystems via `HttpClient` transparent ver- und entschlüsseln. Die Tests in der Datei [VauClientTest.cs](lib-vau-csharp-test/VauClientTest.cs)
+zeigen beispielhaft, wie diese Klasse mit von [NSwag](https://github.com/RicoSuter/NSwag) generierten Clients genutzt werden kann.
+
## License
Copyright 2024 gematik GmbH
diff --git a/lib-vau-csharp-test/Constants.cs b/lib-vau-csharp-test/Constants.cs
index 6ebd4d2..ab91fd2 100644
--- a/lib-vau-csharp-test/Constants.cs
+++ b/lib-vau-csharp-test/Constants.cs
@@ -16,16 +16,22 @@
* For additional notes and disclaimer from gematik and in case of changes by gematik find details in the "Readme" file.
*/
-using lib_vau_csharp.data;
+using System;
+using System.IO;
+
using lib_vau_csharp_test.util;
+
+using lib_vau_csharp.data;
+
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
-using System.IO;
namespace lib_vau_csharp_test
{
public static class Constants
{
+ public static Uri EpaDeploymentUrl = new Uri("http://localhost:443/");
+
public static class Keys
{
public static readonly EccKyberKeyPair EccKyberKeyPair = FileUtil.ReadEccKyberKeyPairFromFile(Paths.VauServerKeys);
diff --git a/lib-vau-csharp-test/EpaApiClients/Auth/AuthorizationServiceClient.cs b/lib-vau-csharp-test/EpaApiClients/Auth/AuthorizationServiceClient.cs
new file mode 100644
index 0000000..6d16005
--- /dev/null
+++ b/lib-vau-csharp-test/EpaApiClients/Auth/AuthorizationServiceClient.cs
@@ -0,0 +1,3034 @@
+//----------------------
+//
+// Generated using the NSwag toolchain v14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0)) (http://NSwag.org)
+//
+//----------------------
+
+#pragma warning disable 108 // Disable "CS0108 '{derivedDto}.ToJson()' hides inherited member '{dtoBase}.ToJson()'. Use the new keyword if hiding was intended."
+#pragma warning disable 114 // Disable "CS0114 '{derivedDto}.RaisePropertyChanged(String)' hides inherited member 'dtoBase.RaisePropertyChanged(String)'. To make the current member override that implementation, add the override keyword. Otherwise add the new keyword."
+#pragma warning disable 472 // Disable "CS0472 The result of the expression is always 'false' since a value of type 'Int32' is never equal to 'null' of type 'Int32?'
+#pragma warning disable 612 // Disable "CS0612 '...' is obsolete"
+#pragma warning disable 649 // Disable "CS0649 Field is never assigned to, and will always have its default value null"
+#pragma warning disable 1573 // Disable "CS1573 Parameter '...' has no matching param tag in the XML comment for ...
+#pragma warning disable 1591 // Disable "CS1591 Missing XML comment for publicly visible type or member ..."
+#pragma warning disable 8073 // Disable "CS8073 The result of the expression is always 'false' since a value of type 'T' is never equal to 'null' of type 'T?'"
+#pragma warning disable 3016 // Disable "CS3016 Arrays as attribute arguments is not CLS-compliant"
+#pragma warning disable 8600 // Disable "CS8600 Converting null literal or possible null value to non-nullable type"
+#pragma warning disable 8602 // Disable "CS8602 Dereference of a possibly null reference"
+#pragma warning disable 8603 // Disable "CS8603 Possible null reference return"
+#pragma warning disable 8604 // Disable "CS8604 Possible null reference argument for parameter"
+#pragma warning disable 8625 // Disable "CS8625 Cannot convert null literal to non-nullable reference type"
+#pragma warning disable 8765 // Disable "CS8765 Nullability of type of parameter doesn't match overridden member (possibly because of nullability attributes)."
+
+namespace lib_vau_csharp_test.EpaApiClients.Auth
+{
+ using System = global::System;
+
+ [System.CodeDom.Compiler.GeneratedCode("NSwag", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial interface IAuthorizationServiceClient
+ {
+ ///
+ /// (getFHIRVZDtoken) Get the FHIR VZD search access-token
+ ///
+ ///
+ /// Get the directory service (FHIR VZD) search-token of the health record system.
+ ///
This operation is limited to authenticated users (IDP) only.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use the provided search access-token for directory service queries instead of an own, individual
+ ///
registration.
+ ///
+ ///
**Provider**:
+ ///
The authorization service shall return the search access-token as received from the FHIR Directory.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetFHIRVZDtokenAsync(string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getFHIRVZDtoken) Get the FHIR VZD search access-token
+ ///
+ ///
+ /// Get the directory service (FHIR VZD) search-token of the health record system.
+ ///
This operation is limited to authenticated users (IDP) only.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use the provided search access-token for directory service queries instead of an own, individual
+ ///
registration.
+ ///
+ ///
**Provider**:
+ ///
The authorization service shall return the search access-token as received from the FHIR Directory.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetFHIRVZDtokenAsync(string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (getNonce) Generate nonce (random value) for an authorization request
+ ///
+ ///
+ /// A nonce is a generated unique random value. This operation provides the nonce
+ ///
for the client (attestation).</br>
+ ///
Remark: This is NOT the nonce used by the authorization
+ ///
service towards the IDP in an IDP flow!
+ ///
+ ///
**Client**:</br>
+ ///
A client shall sign the received nonce. The signed nonce shall be used as client
+ ///
attestation for the authorization requests finalization (_sendAuthCodeSC_).
+ ///
+ ///
**Provider**:</br>
+ ///
The nonce shall be stored for later comparison in a subsequent _sendAuthCodeSc_ operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is kept for subsequent _sendAuthCodeSC_ operation ||
+ ///
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetNonceAsync(string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getNonce) Generate nonce (random value) for an authorization request
+ ///
+ ///
+ /// A nonce is a generated unique random value. This operation provides the nonce
+ ///
for the client (attestation).</br>
+ ///
Remark: This is NOT the nonce used by the authorization
+ ///
service towards the IDP in an IDP flow!
+ ///
+ ///
**Client**:</br>
+ ///
A client shall sign the received nonce. The signed nonce shall be used as client
+ ///
attestation for the authorization requests finalization (_sendAuthCodeSC_).
+ ///
+ ///
**Provider**:</br>
+ ///
The nonce shall be stored for later comparison in a subsequent _sendAuthCodeSc_ operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is kept for subsequent _sendAuthCodeSC_ operation ||
+ ///
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetNonceAsync(string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (sendAuthorizationRequestSC) Send authorization request
+ ///
+ ///
+ /// Request authorization for a smartcard (SMC-B) based client.
+ ///
+ ///
**Client**:</br>
+ ///
A client will receive a well prepared redirection uri and parameters for the authoriation request
+ ///
towards the authenticator. A client shall invoke the authenticator and IDP flow to revceive an
+ ///
authorization code for the subsequent _sendAuthCodeSC_ operation.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization server shall prepare a complete redirection uri and authorization request parameters
+ ///
(PAR-URI) for the central smartcard IDP.
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which is not mapped to 500 internal Server error |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthorizationRequestSCAsync(string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthorizationRequestSC) Send authorization request
+ ///
+ ///
+ /// Request authorization for a smartcard (SMC-B) based client.
+ ///
+ ///
**Client**:</br>
+ ///
A client will receive a well prepared redirection uri and parameters for the authoriation request
+ ///
towards the authenticator. A client shall invoke the authenticator and IDP flow to revceive an
+ ///
authorization code for the subsequent _sendAuthCodeSC_ operation.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization server shall prepare a complete redirection uri and authorization request parameters
+ ///
(PAR-URI) for the central smartcard IDP.
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which is not mapped to 500 internal Server error |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthorizationRequestSCAsync(string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (sendAuthCodeSC) Send authorization code
+ ///
+ ///
+ /// After successful user authentication the authorization code grant was returned to the authorization
+ ///
service, that is exchanged for an ID token at the IDP's token endpoint using this operation.
+ ///
This operation is limited to users of the "Allowed usergroups for Authorization SMC-B"
+ ///
+ ///
**Client**:</br>
+ ///
A client shall submit the authorization code received from the authenticator and the client attestation
+ ///
(signed nonce)
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall use the authorization code to prepare a token request for the IDP and receive
+ ///
the encrypted ID-Token in return.
+ ///
The received ID-Token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
+ ///
The authorization service shall further validate the ID-token against the stored nonce (from a preceding _getNonce_ operation)
+ ///
and the client attestation:
+ ///
- _clientAttest_ is valid if
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 20 minutes in the future "iat".
+ ///
- user has role as in "Allowed usergroups for Authorization SMC-B" (from signature cert)
+ ///
- stored nonce shall not be outdated
+ ///
- stored nonce shall match client attestation nonce
+ ///
- Telematik-Id of client attestation (from signature cert) shall match the telematik-id claim of the ID-Token
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The nonce shall be discarded, i.e. reuse of a client attestation for user session establishment shall be rejected.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which are not mapped to 500 internal Server error |
+ ///
| No or outdated nonce | 409 | statusMismatch | No preceding _getNonce_ call or stored nonce outdated/invalid |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is discarded ||
+ ///
| User session has valid HSM-ID-Token for requesting client (telematik-id) | successful operation only |
+ ///
| User session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthCodeSCAsync(SendAuthCodeSCtype body, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthCodeSC) Send authorization code
+ ///
+ ///
+ /// After successful user authentication the authorization code grant was returned to the authorization
+ ///
service, that is exchanged for an ID token at the IDP's token endpoint using this operation.
+ ///
This operation is limited to users of the "Allowed usergroups for Authorization SMC-B"
+ ///
+ ///
**Client**:</br>
+ ///
A client shall submit the authorization code received from the authenticator and the client attestation
+ ///
(signed nonce)
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall use the authorization code to prepare a token request for the IDP and receive
+ ///
the encrypted ID-Token in return.
+ ///
The received ID-Token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
+ ///
The authorization service shall further validate the ID-token against the stored nonce (from a preceding _getNonce_ operation)
+ ///
and the client attestation:
+ ///
- _clientAttest_ is valid if
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 20 minutes in the future "iat".
+ ///
- user has role as in "Allowed usergroups for Authorization SMC-B" (from signature cert)
+ ///
- stored nonce shall not be outdated
+ ///
- stored nonce shall match client attestation nonce
+ ///
- Telematik-Id of client attestation (from signature cert) shall match the telematik-id claim of the ID-Token
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The nonce shall be discarded, i.e. reuse of a client attestation for user session establishment shall be rejected.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which are not mapped to 500 internal Server error |
+ ///
| No or outdated nonce | 409 | statusMismatch | No preceding _getNonce_ call or stored nonce outdated/invalid |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is discarded ||
+ ///
| User session has valid HSM-ID-Token for requesting client (telematik-id) | successful operation only |
+ ///
| User session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthCodeSCAsync(SendAuthCodeSCtype body, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (getFreshnessParameter) Get freshness parameter for a bearer token
+ ///
+ ///
+ /// Get a new freshness parameter for a new bearer token for the authorization by bearer token.
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall use the freshness parameter for a signed JWT (bearer token) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
+ ///
**Provider**</br>
+ ///
The returned freshness parameter shall follow the requirements in gemSpec_Krypt, A_24658* and be verifiable by HSM rule 'rr0'.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetFreshnessParameterAsync(string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getFreshnessParameter) Get freshness parameter for a bearer token
+ ///
+ ///
+ /// Get a new freshness parameter for a new bearer token for the authorization by bearer token.
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall use the freshness parameter for a signed JWT (bearer token) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
+ ///
**Provider**</br>
+ ///
The returned freshness parameter shall follow the requirements in gemSpec_Krypt, A_24658* and be verifiable by HSM rule 'rr0'.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetFreshnessParameterAsync(string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (sendAuthorizationRequestBearerToken) Client authorization based on JWT authorization grant.
+ ///
+ ///
+ /// Authorization of the ePrescription backend (E-Rezept-Fachdienst).
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall send a signed JWT (bearerToken) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
The token shall contain a fresh parameter (see: _getFreshnessParameter_).
+ ///
+ ///
**Provider**</br>
+ ///
The received token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
The received token shall have a claim "sub", this claim shall state the telematik-id of the ePrescription backend.
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also for _bearerToken_ does not match token schema |
+ ///
| Invalid request | 403 | invalAuth | _bearerToken_ is invalid by means of HSM rule 'rr0' or timestamp |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| authorized user session with HSM-ID-Token for ePrescription backend exists | successful operation only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthorizationRequestBearerTokenAsync(BearerTokenType body, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthorizationRequestBearerToken) Client authorization based on JWT authorization grant.
+ ///
+ ///
+ /// Authorization of the ePrescription backend (E-Rezept-Fachdienst).
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall send a signed JWT (bearerToken) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
The token shall contain a fresh parameter (see: _getFreshnessParameter_).
+ ///
+ ///
**Provider**</br>
+ ///
The received token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
The received token shall have a claim "sub", this claim shall state the telematik-id of the ePrescription backend.
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also for _bearerToken_ does not match token schema |
+ ///
| Invalid request | 403 | invalAuth | _bearerToken_ is invalid by means of HSM rule 'rr0' or timestamp |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| authorized user session with HSM-ID-Token for ePrescription backend exists | successful operation only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthorizationRequestBearerTokenAsync(BearerTokenType body, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (sendAuthorizationRequestFdV) Send authorization request
+ ///
+ ///
+ /// Sends an authorization request to the authorization service.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use parameter _x-authorize_representative_ for the "Authorize Representative" use case,
+ ///
a login of a user on not owned device for representative entitlement only.
+ ///
The _x-authorize-representative_ parameter will force an authentication of the user with egK + pin only and limit the possible operations to entitlement management only.
+ ///
A client shall use the returned redirect url to invoke the authenticator. <br/>
+ ///
+ ///
A client shall use parameter _x-authorize-egk_ for a login in guest mode with egk and pin, e.g. of a validation identity
+ ///
(i.e. "Prüfkarte eGK"), forcing the authorization service to request an authentication at the identity provider
+ ///
in guest mode (eGK + pin).
+ ///
A client shall use the returned redirect url to invoke the authenticator.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall send a pushed authorization request (PAR) to the IDP (see: find more details).
+ ///
+ ///
The _redirect_uri_ parameter of the PAR shall be set to a predefined value when operation parameter
+ ///
_x-redirecturi_ is not present, else the content of _x-redirecturi_ shall be used (according to A_25717-*).
+ ///
+ ///
The authorize representative situation (_x-authorize-representative_ == _true_) shall be kept for the subsequent
+ ///
_sendAuthCodeFdV_ and device management operations.
+ ///
+ ///
For the _x-authorize-representative_ and the _x-authorize-egk_ case the PAR for the IDP shall include:
+ ///
- amr = urn:telematik:auth:guest:eGK
+ ///
+ ///
_x-authorize-representative_ and _x-authorize-egk_ both should not be set to _true_ at the same time.
+ ///
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also if both "x-authorize"-parameters are set to _true_ |
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| unregistered redirecturi | 403 | invalRedir | redirecturi in _x-redirecturi_ is not known, registration required |
+ ///
| Invalid URI (x-idp-iss) | 404 | noResource | |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| _authorize_representative_ kept for subsequent _sendAuthCodeFdV_ evaluation | if applicable |
+ ///
+ /// The issuer Identifier (URL) of the IDP to be used for user authentication
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request without epa device management registration checks.
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request in guest mode with egk + pin e.g. for validation identities.
+ /// An optional redirecturi (URL) to be used in PAR for redirection of the authorizationcode. The redirecturi must be registered as valid on the epa application server (entity statement)
+ /// user agent information
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthorizationRequestFdVAsync(string x_idp_iss, bool? x_authorize_representative, bool? x_authorize_egk, string x_redirecturi, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthorizationRequestFdV) Send authorization request
+ ///
+ ///
+ /// Sends an authorization request to the authorization service.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use parameter _x-authorize_representative_ for the "Authorize Representative" use case,
+ ///
a login of a user on not owned device for representative entitlement only.
+ ///
The _x-authorize-representative_ parameter will force an authentication of the user with egK + pin only and limit the possible operations to entitlement management only.
+ ///
A client shall use the returned redirect url to invoke the authenticator. <br/>
+ ///
+ ///
A client shall use parameter _x-authorize-egk_ for a login in guest mode with egk and pin, e.g. of a validation identity
+ ///
(i.e. "Prüfkarte eGK"), forcing the authorization service to request an authentication at the identity provider
+ ///
in guest mode (eGK + pin).
+ ///
A client shall use the returned redirect url to invoke the authenticator.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall send a pushed authorization request (PAR) to the IDP (see: find more details).
+ ///
+ ///
The _redirect_uri_ parameter of the PAR shall be set to a predefined value when operation parameter
+ ///
_x-redirecturi_ is not present, else the content of _x-redirecturi_ shall be used (according to A_25717-*).
+ ///
+ ///
The authorize representative situation (_x-authorize-representative_ == _true_) shall be kept for the subsequent
+ ///
_sendAuthCodeFdV_ and device management operations.
+ ///
+ ///
For the _x-authorize-representative_ and the _x-authorize-egk_ case the PAR for the IDP shall include:
+ ///
- amr = urn:telematik:auth:guest:eGK
+ ///
+ ///
_x-authorize-representative_ and _x-authorize-egk_ both should not be set to _true_ at the same time.
+ ///
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also if both "x-authorize"-parameters are set to _true_ |
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| unregistered redirecturi | 403 | invalRedir | redirecturi in _x-redirecturi_ is not known, registration required |
+ ///
| Invalid URI (x-idp-iss) | 404 | noResource | |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| _authorize_representative_ kept for subsequent _sendAuthCodeFdV_ evaluation | if applicable |
+ ///
+ /// The issuer Identifier (URL) of the IDP to be used for user authentication
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request without epa device management registration checks.
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request in guest mode with egk + pin e.g. for validation identities.
+ /// An optional redirecturi (URL) to be used in PAR for redirection of the authorizationcode. The redirecturi must be registered as valid on the epa application server (entity statement)
+ /// user agent information
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthorizationRequestFdVAsync(string x_idp_iss, bool? x_authorize_representative, bool? x_authorize_egk, string x_redirecturi, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (sendAuthCodeFdV) Send authorization code
+ ///
+ ///
+ /// Send the authorization code to the authorization service to complete the login and (optional)
+ ///
verify the device registration.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall always send the authorization code received from the authenticator / IDP. <br/>
+ ///
+ ///
A client shall send both, _x-device-identifier_ and _x-device-token_, on login to the home system
+ ///
of the user for proof of a registered device.
+ ///
+ ///
If the user has a device registration in another home system, then a device attestation from his home
+ ///
system must be used and a client shall submit _x-device-attestation_ (instead of _x-device-identifier_
+ ///
and _x-device-token_). A client can obtain a device attestation from the home system via a
+ ///
_getDeviceAttestation_ operation call.
+ ///
+ ///
A client shall not send _x-device-identifier_ and _x-device-token_ or even _x-device-attestation_
+ ///
(suppress parameters at all) if the device is not yet registered and confirmed or if the preceding
+ ///
_sendAuthorizationRequestFdV_ call includes the parameter _x-authorize_representative_ == _true_.
+ ///
+ ///
(For registration of a new device, including confirmation of the registration, see Device Management
+ ///
Service operations _registerDevice_ and _confirmDevice_).
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
The provided authorization code shall be exchanged for an ID-Token with the IDP. The ID-Token shall be converted
+ ///
into a HSM-ID-Token with an extended validity period.
+ ///
+ ///
Device verification - home system:</br>
+ ///
If _x-device-identifier_ and _x-device-token_ are both submitted the device verification starts immediately after
+ ///
the authorization completion.
+ ///
Device identifier and -token shall be verified with the registered values.
+ ///
The x-device-identifier / x-device-token check shall only consider device registrations for the authorized user.
+ ///
+ ///
Device verification - other than home system:</br>
+ ///
If _x-device-attestation_ is submitted the device verification starts immediately after the authorization completion.
+ ///
The authorization service shall accept a device attestation in case
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 120 minutes in the future "iat".
+ ///
- current time is greater or equal than 'iat' and less than 'exp' with 15 seconds tolerance ('iat' - 15s <= current time < 'exp' + 15s).
+ ///
- claim _actorId_ from device attestation matches kvnr of ID-Token or HSM-ID-Token.
+ ///
+ ///
If the device attestation is valid by signature and time, and the KVNR submitted in device attestation matches the
+ ///
KVNR of the authorized user the authorization service shall accept the device registration.
+ ///
+ ///
On success (ID-Token / HSM-ID-Token received and device binding check successful) a new user session shall be instantiated,
+ ///
associated to the HSM-ID-Token.
+ ///
+ ///
If device verification succeeds, access to all services of a health record shall be possible for the associated
+ ///
user session.
+ ///
if x-authorize-representative is set, access to the user's health record entitlement management only shall be
+ ///
possible for the user session.
+ ///
In all other (success cases) access of the user session shall be limited to the device management service.
+ ///
+ ///
The user session of a client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Only _x-device-identifier_ or _x-device-token_ provided | 400 | paramExcpected | both parameters required or none |
+ ///
| (_x-device-identifier_ and/or _x-device-token_) and _x-device-attestation_ provided | 400 | paramExcpected | use only registration of home system, another system or none (yet unregistered device) |
+ ///
| _authorize_representative_ is set and _x-device-identifier_ and/or _x-device-token_ and/or x-device-attestation_ provided | 400 | authorizeRep | _x-authorize_representative_ from preceding sendAuthorizationRequestFdV |
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| _authorizationCode_ not valid | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| Wrong _x-device-token_ | 403 | invalidToken | if both parameters avaiable and allowed|
+ ///
| Invalid _x-device-attestation_ | 403 | invalSignature ||
+ ///
| Device registration does not exist (_x-device-identifier_)| 404| noResource | also if device is not associated to requestor kvnr |
+ ///
| Device registration not confirmed (_status_ == _pending_) | 409 | statusMismatch | confirm pending device registration before retry |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| user session has valid HSM-ID-Token | successful operation only |
+ ///
| user session contains device verification result | successful operation with device parameters only |
+ ///
| _lastUse_ of device registration is updated to current time | successful operation with device parameters only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// The deviceidentifier of a device registration
+ /// The devicetoken of a device registration
+ /// The deviceAttestation of a device registration
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthCodeFdVAsync(System.Guid? x_device_identifier, string x_device_token, DeviceAttestationType x_device_attestation, SendAuthCodeFdVtype body, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthCodeFdV) Send authorization code
+ ///
+ ///
+ /// Send the authorization code to the authorization service to complete the login and (optional)
+ ///
verify the device registration.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall always send the authorization code received from the authenticator / IDP. <br/>
+ ///
+ ///
A client shall send both, _x-device-identifier_ and _x-device-token_, on login to the home system
+ ///
of the user for proof of a registered device.
+ ///
+ ///
If the user has a device registration in another home system, then a device attestation from his home
+ ///
system must be used and a client shall submit _x-device-attestation_ (instead of _x-device-identifier_
+ ///
and _x-device-token_). A client can obtain a device attestation from the home system via a
+ ///
_getDeviceAttestation_ operation call.
+ ///
+ ///
A client shall not send _x-device-identifier_ and _x-device-token_ or even _x-device-attestation_
+ ///
(suppress parameters at all) if the device is not yet registered and confirmed or if the preceding
+ ///
_sendAuthorizationRequestFdV_ call includes the parameter _x-authorize_representative_ == _true_.
+ ///
+ ///
(For registration of a new device, including confirmation of the registration, see Device Management
+ ///
Service operations _registerDevice_ and _confirmDevice_).
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
The provided authorization code shall be exchanged for an ID-Token with the IDP. The ID-Token shall be converted
+ ///
into a HSM-ID-Token with an extended validity period.
+ ///
+ ///
Device verification - home system:</br>
+ ///
If _x-device-identifier_ and _x-device-token_ are both submitted the device verification starts immediately after
+ ///
the authorization completion.
+ ///
Device identifier and -token shall be verified with the registered values.
+ ///
The x-device-identifier / x-device-token check shall only consider device registrations for the authorized user.
+ ///
+ ///
Device verification - other than home system:</br>
+ ///
If _x-device-attestation_ is submitted the device verification starts immediately after the authorization completion.
+ ///
The authorization service shall accept a device attestation in case
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 120 minutes in the future "iat".
+ ///
- current time is greater or equal than 'iat' and less than 'exp' with 15 seconds tolerance ('iat' - 15s <= current time < 'exp' + 15s).
+ ///
- claim _actorId_ from device attestation matches kvnr of ID-Token or HSM-ID-Token.
+ ///
+ ///
If the device attestation is valid by signature and time, and the KVNR submitted in device attestation matches the
+ ///
KVNR of the authorized user the authorization service shall accept the device registration.
+ ///
+ ///
On success (ID-Token / HSM-ID-Token received and device binding check successful) a new user session shall be instantiated,
+ ///
associated to the HSM-ID-Token.
+ ///
+ ///
If device verification succeeds, access to all services of a health record shall be possible for the associated
+ ///
user session.
+ ///
if x-authorize-representative is set, access to the user's health record entitlement management only shall be
+ ///
possible for the user session.
+ ///
In all other (success cases) access of the user session shall be limited to the device management service.
+ ///
+ ///
The user session of a client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Only _x-device-identifier_ or _x-device-token_ provided | 400 | paramExcpected | both parameters required or none |
+ ///
| (_x-device-identifier_ and/or _x-device-token_) and _x-device-attestation_ provided | 400 | paramExcpected | use only registration of home system, another system or none (yet unregistered device) |
+ ///
| _authorize_representative_ is set and _x-device-identifier_ and/or _x-device-token_ and/or x-device-attestation_ provided | 400 | authorizeRep | _x-authorize_representative_ from preceding sendAuthorizationRequestFdV |
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| _authorizationCode_ not valid | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| Wrong _x-device-token_ | 403 | invalidToken | if both parameters avaiable and allowed|
+ ///
| Invalid _x-device-attestation_ | 403 | invalSignature ||
+ ///
| Device registration does not exist (_x-device-identifier_)| 404| noResource | also if device is not associated to requestor kvnr |
+ ///
| Device registration not confirmed (_status_ == _pending_) | 409 | statusMismatch | confirm pending device registration before retry |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| user session has valid HSM-ID-Token | successful operation only |
+ ///
| user session contains device verification result | successful operation with device parameters only |
+ ///
| _lastUse_ of device registration is updated to current time | successful operation with device parameters only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// The deviceidentifier of a device registration
+ /// The devicetoken of a device registration
+ /// The deviceAttestation of a device registration
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SendAuthCodeFdVAsync(System.Guid? x_device_identifier, string x_device_token, DeviceAttestationType x_device_attestation, SendAuthCodeFdVtype body, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (logoutFdV) Logout from user session.
+ ///
+ ///
+ /// A logout terminates the associated user session. For any further service usage a new
+ ///
authentication of the user is required.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall perform this explicit logout to close the user session and all
+ ///
health record related activities. For further access a client shall perform a new login, including
+ ///
negotiation of a new VAU-channel.
+ ///
+ ///
**Provider**:</br>
+ ///
The user session of a client shall be closed and all session related
+ ///
data shall be deleted. Associated health record contexts shall be released / closed.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful logout | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The user session and all related temporary data is terminated / deleted | successful operation only |
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task LogoutFdVAsync(string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (logoutFdV) Logout from user session.
+ ///
+ ///
+ /// A logout terminates the associated user session. For any further service usage a new
+ ///
authentication of the user is required.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall perform this explicit logout to close the user session and all
+ ///
health record related activities. For further access a client shall perform a new login, including
+ ///
negotiation of a new VAU-channel.
+ ///
+ ///
**Provider**:</br>
+ ///
The user session of a client shall be closed and all session related
+ ///
data shall be deleted. Associated health record contexts shall be released / closed.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful logout | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The user session and all related temporary data is terminated / deleted | successful operation only |
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task LogoutFdVAsync(string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ }
+
+ [System.CodeDom.Compiler.GeneratedCode("NSwag", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class AuthorizationServiceClient : IAuthorizationServiceClient
+ {
+ private System.Net.Http.HttpClient _httpClient;
+ private static System.Lazy _settings = new System.Lazy(CreateSerializerSettings, true);
+ private System.Text.Json.JsonSerializerOptions _instanceSettings;
+
+ #pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+ public AuthorizationServiceClient(System.Net.Http.HttpClient httpClient)
+ #pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+ {
+ _httpClient = httpClient;
+ Initialize();
+ }
+
+ private static System.Text.Json.JsonSerializerOptions CreateSerializerSettings()
+ {
+ var settings = new System.Text.Json.JsonSerializerOptions();
+ UpdateJsonSerializerSettings(settings);
+ return settings;
+ }
+
+ protected System.Text.Json.JsonSerializerOptions JsonSerializerSettings { get { return _instanceSettings ?? _settings.Value; } }
+
+ static partial void UpdateJsonSerializerSettings(System.Text.Json.JsonSerializerOptions settings);
+
+ partial void Initialize();
+
+ partial void PrepareRequest(System.Net.Http.HttpClient client, System.Net.Http.HttpRequestMessage request, string url);
+ partial void PrepareRequest(System.Net.Http.HttpClient client, System.Net.Http.HttpRequestMessage request, System.Text.StringBuilder urlBuilder);
+ partial void ProcessResponse(System.Net.Http.HttpClient client, System.Net.Http.HttpResponseMessage response);
+
+ ///
+ /// (getFHIRVZDtoken) Get the FHIR VZD search access-token
+ ///
+ ///
+ /// Get the directory service (FHIR VZD) search-token of the health record system.
+ ///
This operation is limited to authenticated users (IDP) only.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use the provided search access-token for directory service queries instead of an own, individual
+ ///
registration.
+ ///
+ ///
**Provider**:
+ ///
The authorization service shall return the search access-token as received from the FHIR Directory.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetFHIRVZDtokenAsync(string x_useragent)
+ {
+ return GetFHIRVZDtokenAsync(x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getFHIRVZDtoken) Get the FHIR VZD search access-token
+ ///
+ ///
+ /// Get the directory service (FHIR VZD) search-token of the health record system.
+ ///
This operation is limited to authenticated users (IDP) only.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use the provided search access-token for directory service queries instead of an own, individual
+ ///
registration.
+ ///
+ ///
**Provider**:
+ ///
The authorization service shall return the search access-token as received from the FHIR Directory.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task GetFHIRVZDtokenAsync(string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/vzd/v1/vzdToken"
+ urlBuilder_.Append("epa/vzd/v1/vzdToken");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (getNonce) Generate nonce (random value) for an authorization request
+ ///
+ ///
+ /// A nonce is a generated unique random value. This operation provides the nonce
+ ///
for the client (attestation).</br>
+ ///
Remark: This is NOT the nonce used by the authorization
+ ///
service towards the IDP in an IDP flow!
+ ///
+ ///
**Client**:</br>
+ ///
A client shall sign the received nonce. The signed nonce shall be used as client
+ ///
attestation for the authorization requests finalization (_sendAuthCodeSC_).
+ ///
+ ///
**Provider**:</br>
+ ///
The nonce shall be stored for later comparison in a subsequent _sendAuthCodeSc_ operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is kept for subsequent _sendAuthCodeSC_ operation ||
+ ///
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetNonceAsync(string x_useragent)
+ {
+ return GetNonceAsync(x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getNonce) Generate nonce (random value) for an authorization request
+ ///
+ ///
+ /// A nonce is a generated unique random value. This operation provides the nonce
+ ///
for the client (attestation).</br>
+ ///
Remark: This is NOT the nonce used by the authorization
+ ///
service towards the IDP in an IDP flow!
+ ///
+ ///
**Client**:</br>
+ ///
A client shall sign the received nonce. The signed nonce shall be used as client
+ ///
attestation for the authorization requests finalization (_sendAuthCodeSC_).
+ ///
+ ///
**Provider**:</br>
+ ///
The nonce shall be stored for later comparison in a subsequent _sendAuthCodeSc_ operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is kept for subsequent _sendAuthCodeSC_ operation ||
+ ///
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task GetNonceAsync(string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/getNonce"
+ urlBuilder_.Append("epa/authz/v1/getNonce");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (sendAuthorizationRequestSC) Send authorization request
+ ///
+ ///
+ /// Request authorization for a smartcard (SMC-B) based client.
+ ///
+ ///
**Client**:</br>
+ ///
A client will receive a well prepared redirection uri and parameters for the authoriation request
+ ///
towards the authenticator. A client shall invoke the authenticator and IDP flow to revceive an
+ ///
authorization code for the subsequent _sendAuthCodeSC_ operation.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization server shall prepare a complete redirection uri and authorization request parameters
+ ///
(PAR-URI) for the central smartcard IDP.
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which is not mapped to 500 internal Server error |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SendAuthorizationRequestSCAsync(string x_useragent)
+ {
+ return SendAuthorizationRequestSCAsync(x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthorizationRequestSC) Send authorization request
+ ///
+ ///
+ /// Request authorization for a smartcard (SMC-B) based client.
+ ///
+ ///
**Client**:</br>
+ ///
A client will receive a well prepared redirection uri and parameters for the authoriation request
+ ///
towards the authenticator. A client shall invoke the authenticator and IDP flow to revceive an
+ ///
authorization code for the subsequent _sendAuthCodeSC_ operation.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization server shall prepare a complete redirection uri and authorization request parameters
+ ///
(PAR-URI) for the central smartcard IDP.
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which is not mapped to 500 internal Server error |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SendAuthorizationRequestSCAsync(string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/send_authorization_request_sc"
+ urlBuilder_.Append("epa/authz/v1/send_authorization_request_sc");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 302)
+ {
+ string responseText_ = ( response_.Content == null ) ? string.Empty : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("Found", status_, responseText_, headers_, null);
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+
+ if (status_ == 200 || status_ == 204)
+ {
+
+ return;
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (sendAuthCodeSC) Send authorization code
+ ///
+ ///
+ /// After successful user authentication the authorization code grant was returned to the authorization
+ ///
service, that is exchanged for an ID token at the IDP's token endpoint using this operation.
+ ///
This operation is limited to users of the "Allowed usergroups for Authorization SMC-B"
+ ///
+ ///
**Client**:</br>
+ ///
A client shall submit the authorization code received from the authenticator and the client attestation
+ ///
(signed nonce)
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall use the authorization code to prepare a token request for the IDP and receive
+ ///
the encrypted ID-Token in return.
+ ///
The received ID-Token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
+ ///
The authorization service shall further validate the ID-token against the stored nonce (from a preceding _getNonce_ operation)
+ ///
and the client attestation:
+ ///
- _clientAttest_ is valid if
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 20 minutes in the future "iat".
+ ///
- user has role as in "Allowed usergroups for Authorization SMC-B" (from signature cert)
+ ///
- stored nonce shall not be outdated
+ ///
- stored nonce shall match client attestation nonce
+ ///
- Telematik-Id of client attestation (from signature cert) shall match the telematik-id claim of the ID-Token
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The nonce shall be discarded, i.e. reuse of a client attestation for user session establishment shall be rejected.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which are not mapped to 500 internal Server error |
+ ///
| No or outdated nonce | 409 | statusMismatch | No preceding _getNonce_ call or stored nonce outdated/invalid |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is discarded ||
+ ///
| User session has valid HSM-ID-Token for requesting client (telematik-id) | successful operation only |
+ ///
| User session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SendAuthCodeSCAsync(SendAuthCodeSCtype body, string x_useragent)
+ {
+ return SendAuthCodeSCAsync(body, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthCodeSC) Send authorization code
+ ///
+ ///
+ /// After successful user authentication the authorization code grant was returned to the authorization
+ ///
service, that is exchanged for an ID token at the IDP's token endpoint using this operation.
+ ///
This operation is limited to users of the "Allowed usergroups for Authorization SMC-B"
+ ///
+ ///
**Client**:</br>
+ ///
A client shall submit the authorization code received from the authenticator and the client attestation
+ ///
(signed nonce)
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall use the authorization code to prepare a token request for the IDP and receive
+ ///
the encrypted ID-Token in return.
+ ///
The received ID-Token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
+ ///
The authorization service shall further validate the ID-token against the stored nonce (from a preceding _getNonce_ operation)
+ ///
and the client attestation:
+ ///
- _clientAttest_ is valid if
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 20 minutes in the future "iat".
+ ///
- user has role as in "Allowed usergroups for Authorization SMC-B" (from signature cert)
+ ///
- stored nonce shall not be outdated
+ ///
- stored nonce shall match client attestation nonce
+ ///
- Telematik-Id of client attestation (from signature cert) shall match the telematik-id claim of the ID-Token
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The nonce shall be discarded, i.e. reuse of a client attestation for user session establishment shall be rejected.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service which are not mapped to 500 internal Server error |
+ ///
| No or outdated nonce | 409 | statusMismatch | No preceding _getNonce_ call or stored nonce outdated/invalid |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The nonce is discarded ||
+ ///
| User session has valid HSM-ID-Token for requesting client (telematik-id) | successful operation only |
+ ///
| User session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SendAuthCodeSCAsync(SendAuthCodeSCtype body, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (body == null)
+ throw new System.ArgumentNullException("body");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ var json_ = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(body, JsonSerializerSettings);
+ var content_ = new System.Net.Http.ByteArrayContent(json_);
+ content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+ request_.Content = content_;
+ request_.Method = new System.Net.Http.HttpMethod("POST");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/send_authcode_sc"
+ urlBuilder_.Append("epa/authz/v1/send_authcode_sc");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (getFreshnessParameter) Get freshness parameter for a bearer token
+ ///
+ ///
+ /// Get a new freshness parameter for a new bearer token for the authorization by bearer token.
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall use the freshness parameter for a signed JWT (bearer token) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
+ ///
**Provider**</br>
+ ///
The returned freshness parameter shall follow the requirements in gemSpec_Krypt, A_24658* and be verifiable by HSM rule 'rr0'.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetFreshnessParameterAsync(string x_useragent)
+ {
+ return GetFreshnessParameterAsync(x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getFreshnessParameter) Get freshness parameter for a bearer token
+ ///
+ ///
+ /// Get a new freshness parameter for a new bearer token for the authorization by bearer token.
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall use the freshness parameter for a signed JWT (bearer token) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
+ ///
**Provider**</br>
+ ///
The returned freshness parameter shall follow the requirements in gemSpec_Krypt, A_24658* and be verifiable by HSM rule 'rr0'.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task GetFreshnessParameterAsync(string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/freshness"
+ urlBuilder_.Append("epa/authz/v1/freshness");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (sendAuthorizationRequestBearerToken) Client authorization based on JWT authorization grant.
+ ///
+ ///
+ /// Authorization of the ePrescription backend (E-Rezept-Fachdienst).
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall send a signed JWT (bearerToken) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
The token shall contain a fresh parameter (see: _getFreshnessParameter_).
+ ///
+ ///
**Provider**</br>
+ ///
The received token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
The received token shall have a claim "sub", this claim shall state the telematik-id of the ePrescription backend.
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also for _bearerToken_ does not match token schema |
+ ///
| Invalid request | 403 | invalAuth | _bearerToken_ is invalid by means of HSM rule 'rr0' or timestamp |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| authorized user session with HSM-ID-Token for ePrescription backend exists | successful operation only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SendAuthorizationRequestBearerTokenAsync(BearerTokenType body, string x_useragent)
+ {
+ return SendAuthorizationRequestBearerTokenAsync(body, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthorizationRequestBearerToken) Client authorization based on JWT authorization grant.
+ ///
+ ///
+ /// Authorization of the ePrescription backend (E-Rezept-Fachdienst).
+ ///
+ ///
**Client**</br>
+ ///
The ePrescription backend shall send a signed JWT (bearerToken) according to requirement gemSpec_Aktensystem_ePAfuerAlle, A_25165*.
+ ///
The token shall contain a fresh parameter (see: _getFreshnessParameter_).
+ ///
+ ///
**Provider**</br>
+ ///
The received token shall be validated with HSM rule 'rr0'. The resulting HSM-ID-Token shall be added to the user session.
+ ///
The received token shall have a claim "sub", this claim shall state the telematik-id of the ePrescription backend.
+ ///
+ ///
The user session of the client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also for _bearerToken_ does not match token schema |
+ ///
| Invalid request | 403 | invalAuth | _bearerToken_ is invalid by means of HSM rule 'rr0' or timestamp |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| authorized user session with HSM-ID-Token for ePrescription backend exists | successful operation only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SendAuthorizationRequestBearerTokenAsync(BearerTokenType body, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (body == null)
+ throw new System.ArgumentNullException("body");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ var json_ = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(body, JsonSerializerSettings);
+ var content_ = new System.Net.Http.ByteArrayContent(json_);
+ content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+ request_.Content = content_;
+ request_.Method = new System.Net.Http.HttpMethod("POST");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/send_authorization_request_bearertoken"
+ urlBuilder_.Append("epa/authz/v1/send_authorization_request_bearertoken");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (sendAuthorizationRequestFdV) Send authorization request
+ ///
+ ///
+ /// Sends an authorization request to the authorization service.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use parameter _x-authorize_representative_ for the "Authorize Representative" use case,
+ ///
a login of a user on not owned device for representative entitlement only.
+ ///
The _x-authorize-representative_ parameter will force an authentication of the user with egK + pin only and limit the possible operations to entitlement management only.
+ ///
A client shall use the returned redirect url to invoke the authenticator. <br/>
+ ///
+ ///
A client shall use parameter _x-authorize-egk_ for a login in guest mode with egk and pin, e.g. of a validation identity
+ ///
(i.e. "Prüfkarte eGK"), forcing the authorization service to request an authentication at the identity provider
+ ///
in guest mode (eGK + pin).
+ ///
A client shall use the returned redirect url to invoke the authenticator.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall send a pushed authorization request (PAR) to the IDP (see: find more details).
+ ///
+ ///
The _redirect_uri_ parameter of the PAR shall be set to a predefined value when operation parameter
+ ///
_x-redirecturi_ is not present, else the content of _x-redirecturi_ shall be used (according to A_25717-*).
+ ///
+ ///
The authorize representative situation (_x-authorize-representative_ == _true_) shall be kept for the subsequent
+ ///
_sendAuthCodeFdV_ and device management operations.
+ ///
+ ///
For the _x-authorize-representative_ and the _x-authorize-egk_ case the PAR for the IDP shall include:
+ ///
- amr = urn:telematik:auth:guest:eGK
+ ///
+ ///
_x-authorize-representative_ and _x-authorize-egk_ both should not be set to _true_ at the same time.
+ ///
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also if both "x-authorize"-parameters are set to _true_ |
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| unregistered redirecturi | 403 | invalRedir | redirecturi in _x-redirecturi_ is not known, registration required |
+ ///
| Invalid URI (x-idp-iss) | 404 | noResource | |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| _authorize_representative_ kept for subsequent _sendAuthCodeFdV_ evaluation | if applicable |
+ ///
+ /// The issuer Identifier (URL) of the IDP to be used for user authentication
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request without epa device management registration checks.
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request in guest mode with egk + pin e.g. for validation identities.
+ /// An optional redirecturi (URL) to be used in PAR for redirection of the authorizationcode. The redirecturi must be registered as valid on the epa application server (entity statement)
+ /// user agent information
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SendAuthorizationRequestFdVAsync(string x_idp_iss, bool? x_authorize_representative, bool? x_authorize_egk, string x_redirecturi, string x_useragent)
+ {
+ return SendAuthorizationRequestFdVAsync(x_idp_iss, x_authorize_representative, x_authorize_egk, x_redirecturi, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthorizationRequestFdV) Send authorization request
+ ///
+ ///
+ /// Sends an authorization request to the authorization service.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use parameter _x-authorize_representative_ for the "Authorize Representative" use case,
+ ///
a login of a user on not owned device for representative entitlement only.
+ ///
The _x-authorize-representative_ parameter will force an authentication of the user with egK + pin only and limit the possible operations to entitlement management only.
+ ///
A client shall use the returned redirect url to invoke the authenticator. <br/>
+ ///
+ ///
A client shall use parameter _x-authorize-egk_ for a login in guest mode with egk and pin, e.g. of a validation identity
+ ///
(i.e. "Prüfkarte eGK"), forcing the authorization service to request an authentication at the identity provider
+ ///
in guest mode (eGK + pin).
+ ///
A client shall use the returned redirect url to invoke the authenticator.
+ ///
+ ///
**Provider**:</br>
+ ///
The authorization service shall send a pushed authorization request (PAR) to the IDP (see: find more details).
+ ///
+ ///
The _redirect_uri_ parameter of the PAR shall be set to a predefined value when operation parameter
+ ///
_x-redirecturi_ is not present, else the content of _x-redirecturi_ shall be used (according to A_25717-*).
+ ///
+ ///
The authorize representative situation (_x-authorize-representative_ == _true_) shall be kept for the subsequent
+ ///
_sendAuthCodeFdV_ and device management operations.
+ ///
+ ///
For the _x-authorize-representative_ and the _x-authorize-egk_ case the PAR for the IDP shall include:
+ ///
- amr = urn:telematik:auth:guest:eGK
+ ///
+ ///
_x-authorize-representative_ and _x-authorize-egk_ both should not be set to _true_ at the same time.
+ ///
+ ///
This operation shall be rejected if the corresponding user session is already authorized. Repeated authorization
+ ///
attempts are not supported.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 302 |||
+ ///
| Request does not match schema | 400 | malformedRequest | also if both "x-authorize"-parameters are set to _true_ |
+ ///
| Invalid request | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| unregistered redirecturi | 403 | invalRedir | redirecturi in _x-redirecturi_ is not known, registration required |
+ ///
| Invalid URI (x-idp-iss) | 404 | noResource | |
+ ///
| Repeated authorization attempt | 409 | statusMismatch | when user session is already authorized only |
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| _authorize_representative_ kept for subsequent _sendAuthCodeFdV_ evaluation | if applicable |
+ ///
+ /// The issuer Identifier (URL) of the IDP to be used for user authentication
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request without epa device management registration checks.
+ /// This parameter shall be absent or set to _true_ to indicate an authorization request in guest mode with egk + pin e.g. for validation identities.
+ /// An optional redirecturi (URL) to be used in PAR for redirection of the authorizationcode. The redirecturi must be registered as valid on the epa application server (entity statement)
+ /// user agent information
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SendAuthorizationRequestFdVAsync(string x_idp_iss, bool? x_authorize_representative, bool? x_authorize_egk, string x_redirecturi, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_idp_iss == null)
+ throw new System.ArgumentNullException("x_idp_iss");
+ request_.Headers.TryAddWithoutValidation("x-idp-iss", ConvertToString(x_idp_iss, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_authorize_representative != null)
+ request_.Headers.TryAddWithoutValidation("x-authorize-representative", ConvertToString(x_authorize_representative, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_authorize_egk != null)
+ request_.Headers.TryAddWithoutValidation("x-authorize-egk", ConvertToString(x_authorize_egk, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_redirecturi != null)
+ request_.Headers.TryAddWithoutValidation("x-redirecturi", ConvertToString(x_redirecturi, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/send_authorization_request_fdv"
+ urlBuilder_.Append("epa/authz/v1/send_authorization_request_fdv");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 302)
+ {
+ string responseText_ = ( response_.Content == null ) ? string.Empty : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("Found", status_, responseText_, headers_, null);
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+
+ if (status_ == 200 || status_ == 204)
+ {
+
+ return;
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (sendAuthCodeFdV) Send authorization code
+ ///
+ ///
+ /// Send the authorization code to the authorization service to complete the login and (optional)
+ ///
verify the device registration.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall always send the authorization code received from the authenticator / IDP. <br/>
+ ///
+ ///
A client shall send both, _x-device-identifier_ and _x-device-token_, on login to the home system
+ ///
of the user for proof of a registered device.
+ ///
+ ///
If the user has a device registration in another home system, then a device attestation from his home
+ ///
system must be used and a client shall submit _x-device-attestation_ (instead of _x-device-identifier_
+ ///
and _x-device-token_). A client can obtain a device attestation from the home system via a
+ ///
_getDeviceAttestation_ operation call.
+ ///
+ ///
A client shall not send _x-device-identifier_ and _x-device-token_ or even _x-device-attestation_
+ ///
(suppress parameters at all) if the device is not yet registered and confirmed or if the preceding
+ ///
_sendAuthorizationRequestFdV_ call includes the parameter _x-authorize_representative_ == _true_.
+ ///
+ ///
(For registration of a new device, including confirmation of the registration, see Device Management
+ ///
Service operations _registerDevice_ and _confirmDevice_).
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
The provided authorization code shall be exchanged for an ID-Token with the IDP. The ID-Token shall be converted
+ ///
into a HSM-ID-Token with an extended validity period.
+ ///
+ ///
Device verification - home system:</br>
+ ///
If _x-device-identifier_ and _x-device-token_ are both submitted the device verification starts immediately after
+ ///
the authorization completion.
+ ///
Device identifier and -token shall be verified with the registered values.
+ ///
The x-device-identifier / x-device-token check shall only consider device registrations for the authorized user.
+ ///
+ ///
Device verification - other than home system:</br>
+ ///
If _x-device-attestation_ is submitted the device verification starts immediately after the authorization completion.
+ ///
The authorization service shall accept a device attestation in case
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 120 minutes in the future "iat".
+ ///
- current time is greater or equal than 'iat' and less than 'exp' with 15 seconds tolerance ('iat' - 15s <= current time < 'exp' + 15s).
+ ///
- claim _actorId_ from device attestation matches kvnr of ID-Token or HSM-ID-Token.
+ ///
+ ///
If the device attestation is valid by signature and time, and the KVNR submitted in device attestation matches the
+ ///
KVNR of the authorized user the authorization service shall accept the device registration.
+ ///
+ ///
On success (ID-Token / HSM-ID-Token received and device binding check successful) a new user session shall be instantiated,
+ ///
associated to the HSM-ID-Token.
+ ///
+ ///
If device verification succeeds, access to all services of a health record shall be possible for the associated
+ ///
user session.
+ ///
if x-authorize-representative is set, access to the user's health record entitlement management only shall be
+ ///
possible for the user session.
+ ///
In all other (success cases) access of the user session shall be limited to the device management service.
+ ///
+ ///
The user session of a client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Only _x-device-identifier_ or _x-device-token_ provided | 400 | paramExcpected | both parameters required or none |
+ ///
| (_x-device-identifier_ and/or _x-device-token_) and _x-device-attestation_ provided | 400 | paramExcpected | use only registration of home system, another system or none (yet unregistered device) |
+ ///
| _authorize_representative_ is set and _x-device-identifier_ and/or _x-device-token_ and/or x-device-attestation_ provided | 400 | authorizeRep | _x-authorize_representative_ from preceding sendAuthorizationRequestFdV |
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| _authorizationCode_ not valid | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| Wrong _x-device-token_ | 403 | invalidToken | if both parameters avaiable and allowed|
+ ///
| Invalid _x-device-attestation_ | 403 | invalSignature ||
+ ///
| Device registration does not exist (_x-device-identifier_)| 404| noResource | also if device is not associated to requestor kvnr |
+ ///
| Device registration not confirmed (_status_ == _pending_) | 409 | statusMismatch | confirm pending device registration before retry |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| user session has valid HSM-ID-Token | successful operation only |
+ ///
| user session contains device verification result | successful operation with device parameters only |
+ ///
| _lastUse_ of device registration is updated to current time | successful operation with device parameters only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// The deviceidentifier of a device registration
+ /// The devicetoken of a device registration
+ /// The deviceAttestation of a device registration
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SendAuthCodeFdVAsync(System.Guid? x_device_identifier, string x_device_token, DeviceAttestationType x_device_attestation, SendAuthCodeFdVtype body, string x_useragent)
+ {
+ return SendAuthCodeFdVAsync(x_device_identifier, x_device_token, x_device_attestation, body, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (sendAuthCodeFdV) Send authorization code
+ ///
+ ///
+ /// Send the authorization code to the authorization service to complete the login and (optional)
+ ///
verify the device registration.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall always send the authorization code received from the authenticator / IDP. <br/>
+ ///
+ ///
A client shall send both, _x-device-identifier_ and _x-device-token_, on login to the home system
+ ///
of the user for proof of a registered device.
+ ///
+ ///
If the user has a device registration in another home system, then a device attestation from his home
+ ///
system must be used and a client shall submit _x-device-attestation_ (instead of _x-device-identifier_
+ ///
and _x-device-token_). A client can obtain a device attestation from the home system via a
+ ///
_getDeviceAttestation_ operation call.
+ ///
+ ///
A client shall not send _x-device-identifier_ and _x-device-token_ or even _x-device-attestation_
+ ///
(suppress parameters at all) if the device is not yet registered and confirmed or if the preceding
+ ///
_sendAuthorizationRequestFdV_ call includes the parameter _x-authorize_representative_ == _true_.
+ ///
+ ///
(For registration of a new device, including confirmation of the registration, see Device Management
+ ///
Service operations _registerDevice_ and _confirmDevice_).
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
The provided authorization code shall be exchanged for an ID-Token with the IDP. The ID-Token shall be converted
+ ///
into a HSM-ID-Token with an extended validity period.
+ ///
+ ///
Device verification - home system:</br>
+ ///
If _x-device-identifier_ and _x-device-token_ are both submitted the device verification starts immediately after
+ ///
the authorization completion.
+ ///
Device identifier and -token shall be verified with the registered values.
+ ///
The x-device-identifier / x-device-token check shall only consider device registrations for the authorized user.
+ ///
+ ///
Device verification - other than home system:</br>
+ ///
If _x-device-attestation_ is submitted the device verification starts immediately after the authorization completion.
+ ///
The authorization service shall accept a device attestation in case
+ ///
- signature is valid
+ ///
- "exp" expiration_time is a timestamp 120 minutes in the future "iat".
+ ///
- current time is greater or equal than 'iat' and less than 'exp' with 15 seconds tolerance ('iat' - 15s <= current time < 'exp' + 15s).
+ ///
- claim _actorId_ from device attestation matches kvnr of ID-Token or HSM-ID-Token.
+ ///
+ ///
If the device attestation is valid by signature and time, and the KVNR submitted in device attestation matches the
+ ///
KVNR of the authorized user the authorization service shall accept the device registration.
+ ///
+ ///
On success (ID-Token / HSM-ID-Token received and device binding check successful) a new user session shall be instantiated,
+ ///
associated to the HSM-ID-Token.
+ ///
+ ///
If device verification succeeds, access to all services of a health record shall be possible for the associated
+ ///
user session.
+ ///
if x-authorize-representative is set, access to the user's health record entitlement management only shall be
+ ///
possible for the user session.
+ ///
In all other (success cases) access of the user session shall be limited to the device management service.
+ ///
+ ///
The user session of a client shall be closed and all session related data shall be deleted in case operation is not successful.
+ ///
+ ///
The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Only _x-device-identifier_ or _x-device-token_ provided | 400 | paramExcpected | both parameters required or none |
+ ///
| (_x-device-identifier_ and/or _x-device-token_) and _x-device-attestation_ provided | 400 | paramExcpected | use only registration of home system, another system or none (yet unregistered device) |
+ ///
| _authorize_representative_ is set and _x-device-identifier_ and/or _x-device-token_ and/or x-device-attestation_ provided | 400 | authorizeRep | _x-authorize_representative_ from preceding sendAuthorizationRequestFdV |
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| _authorizationCode_ not valid | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
+ ///
| Wrong _x-device-token_ | 403 | invalidToken | if both parameters avaiable and allowed|
+ ///
| Invalid _x-device-attestation_ | 403 | invalSignature ||
+ ///
| Device registration does not exist (_x-device-identifier_)| 404| noResource | also if device is not associated to requestor kvnr |
+ ///
| Device registration not confirmed (_status_ == _pending_) | 409 | statusMismatch | confirm pending device registration before retry |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| user session has valid HSM-ID-Token | successful operation only |
+ ///
| user session contains device verification result | successful operation with device parameters only |
+ ///
| _lastUse_ of device registration is updated to current time | successful operation with device parameters only |
+ ///
| user session and temporary data is deleted | failed operation only |
+ ///
+ /// The deviceidentifier of a device registration
+ /// The devicetoken of a device registration
+ /// The deviceAttestation of a device registration
+ /// user agent information
+ /// OK, Successful login
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SendAuthCodeFdVAsync(System.Guid? x_device_identifier, string x_device_token, DeviceAttestationType x_device_attestation, SendAuthCodeFdVtype body, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (body == null)
+ throw new System.ArgumentNullException("body");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_device_identifier != null)
+ request_.Headers.TryAddWithoutValidation("x-device-identifier", ConvertToString(x_device_identifier, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_device_token != null)
+ request_.Headers.TryAddWithoutValidation("x-device-token", ConvertToString(x_device_token, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_device_attestation != null)
+ request_.Headers.TryAddWithoutValidation("x-device-attestation", ConvertToString(x_device_attestation, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ var json_ = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(body, JsonSerializerSettings);
+ var content_ = new System.Net.Http.ByteArrayContent(json_);
+ content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+ request_.Content = content_;
+ request_.Method = new System.Net.Http.HttpMethod("POST");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/send_authcode_fdv"
+ urlBuilder_.Append("epa/authz/v1/send_authcode_fdv");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Forbidden", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (logoutFdV) Logout from user session.
+ ///
+ ///
+ /// A logout terminates the associated user session. For any further service usage a new
+ ///
authentication of the user is required.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall perform this explicit logout to close the user session and all
+ ///
health record related activities. For further access a client shall perform a new login, including
+ ///
negotiation of a new VAU-channel.
+ ///
+ ///
**Provider**:</br>
+ ///
The user session of a client shall be closed and all session related
+ ///
data shall be deleted. Associated health record contexts shall be released / closed.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful logout | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The user session and all related temporary data is terminated / deleted | successful operation only |
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task LogoutFdVAsync(string x_useragent)
+ {
+ return LogoutFdVAsync(x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (logoutFdV) Logout from user session.
+ ///
+ ///
+ /// A logout terminates the associated user session. For any further service usage a new
+ ///
authentication of the user is required.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall perform this explicit logout to close the user session and all
+ ///
health record related activities. For further access a client shall perform a new login, including
+ ///
negotiation of a new VAU-channel.
+ ///
+ ///
**Provider**:</br>
+ ///
The user session of a client shall be closed and all session related
+ ///
data shall be deleted. Associated health record contexts shall be released / closed.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful logout | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The user session and all related temporary data is terminated / deleted | successful operation only |
+ ///
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task LogoutFdVAsync(string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/authz/v1/logoutFdV"
+ urlBuilder_.Append("epa/authz/v1/logoutFdV");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 204)
+ {
+ return;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Bad Request", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new AuthorizationServiceException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new AuthorizationServiceException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new AuthorizationServiceException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ protected struct ObjectResponseResult
+ {
+ public ObjectResponseResult(T responseObject, string responseText)
+ {
+ this.Object = responseObject;
+ this.Text = responseText;
+ }
+
+ public T Object { get; }
+
+ public string Text { get; }
+ }
+
+ public bool ReadResponseAsString { get; set; }
+
+ protected virtual async System.Threading.Tasks.Task> ReadObjectResponseAsync(System.Net.Http.HttpResponseMessage response, System.Collections.Generic.IReadOnlyDictionary> headers, System.Threading.CancellationToken cancellationToken)
+ {
+ if (response == null || response.Content == null)
+ {
+ return new ObjectResponseResult(default(T), string.Empty);
+ }
+
+ if (ReadResponseAsString)
+ {
+ var responseText = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+ try
+ {
+ var typedBody = System.Text.Json.JsonSerializer.Deserialize(responseText, JsonSerializerSettings);
+ return new ObjectResponseResult(typedBody, responseText);
+ }
+ catch (System.Text.Json.JsonException exception)
+ {
+ var message = "Could not deserialize the response body string as " + typeof(T).FullName + ".";
+ throw new AuthorizationServiceException(message, (int)response.StatusCode, responseText, headers, exception);
+ }
+ }
+ else
+ {
+ try
+ {
+ using (var responseStream = await response.Content.ReadAsStreamAsync().ConfigureAwait(false))
+ {
+ var typedBody = await System.Text.Json.JsonSerializer.DeserializeAsync(responseStream, JsonSerializerSettings, cancellationToken).ConfigureAwait(false);
+ return new ObjectResponseResult(typedBody, string.Empty);
+ }
+ }
+ catch (System.Text.Json.JsonException exception)
+ {
+ var message = "Could not deserialize the response body stream as " + typeof(T).FullName + ".";
+ throw new AuthorizationServiceException(message, (int)response.StatusCode, string.Empty, headers, exception);
+ }
+ }
+ }
+
+ private string ConvertToString(object value, System.Globalization.CultureInfo cultureInfo)
+ {
+ if (value == null)
+ {
+ return "";
+ }
+
+ if (value is System.Enum)
+ {
+ var name = System.Enum.GetName(value.GetType(), value);
+ if (name != null)
+ {
+ var field = System.Reflection.IntrospectionExtensions.GetTypeInfo(value.GetType()).GetDeclaredField(name);
+ if (field != null)
+ {
+ var attribute = System.Reflection.CustomAttributeExtensions.GetCustomAttribute(field, typeof(System.Runtime.Serialization.EnumMemberAttribute))
+ as System.Runtime.Serialization.EnumMemberAttribute;
+ if (attribute != null)
+ {
+ return attribute.Value != null ? attribute.Value : name;
+ }
+ }
+
+ var converted = System.Convert.ToString(System.Convert.ChangeType(value, System.Enum.GetUnderlyingType(value.GetType()), cultureInfo));
+ return converted == null ? string.Empty : converted;
+ }
+ }
+ else if (value is bool)
+ {
+ return System.Convert.ToString((bool)value, cultureInfo).ToLowerInvariant();
+ }
+ else if (value is byte[])
+ {
+ return System.Convert.ToBase64String((byte[]) value);
+ }
+ else if (value is string[])
+ {
+ return string.Join(",", (string[])value);
+ }
+ else if (value.GetType().IsArray)
+ {
+ var valueArray = (System.Array)value;
+ var valueTextArray = new string[valueArray.Length];
+ for (var i = 0; i < valueArray.Length; i++)
+ {
+ valueTextArray[i] = ConvertToString(valueArray.GetValue(i), cultureInfo);
+ }
+ return string.Join(",", valueTextArray);
+ }
+
+ var result = System.Convert.ToString(value, cultureInfo);
+ return result == null ? "" : result;
+ }
+ }
+
+ ///
+ /// "A JSON Web Token (JWT) with following format build according to RFC-7515:</br>
+ ///
base64url (protected_header) + '.' + base64url (payload) + '.' + base64url (signature)"</br>
+ ///
Content for device attestation:</br>
+ ///
- protected_header contains:
+ ///
- "typ": "JWT"
+ ///
- "alg": "ES256"
+ ///
- "x5c": signature certificate (C.FD.SIG)
+ ///
- payload claims:
+ ///
- "iat" issued_at is the timestamp of the time of issue.
+ ///
- "exp" expiration_time is a timestamp 120 minutes in the future "iat".
+ ///
- "actorId": KVNR
+ ///
- signature contains token signature
+ ///
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class DeviceAttestationType
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("jwt")]
+ public string Jwt { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ ///
+ /// Authorization code and client attestation
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class SendAuthCodeSCtype
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("authorizationCode")]
+ public string AuthorizationCode { get; set; }
+
+ [System.Text.Json.Serialization.JsonPropertyName("clientAttest")]
+ public string ClientAttest { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ ///
+ /// Authorization code
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class SendAuthCodeFdVtype
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("authorizationCode")]
+ public string AuthorizationCode { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ ///
+ /// Search access-token as received from FHIR Directory
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class SearchAccessTokenType
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("access_token")]
+ public string Access_token { get; set; }
+
+ [System.Text.Json.Serialization.JsonPropertyName("token_type")]
+ public string Token_type { get; set; }
+
+ [System.Text.Json.Serialization.JsonPropertyName("expires_in")]
+ public int Expires_in { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ ///
+ /// "A JSON Web Token (JWT) with following format build according to RFC-7515:</br>
+ ///
base64url (protected_header) + '.' + base64url (payload) + '.' + base64url (signature)"</br>
+ ///
Content for ePrescription backend bearerToken</br>
+ ///
(expiration time is implicite, HSM rule 'rr0' will reject tokens with 'iat'
+ ///
more than 10 minutes in the past of current time.)</br>
+ ///
- protected_header contains:
+ ///
- "typ": "JWT"
+ ///
- "alg": "ES256"
+ ///
- "x5c": signature certificate c.fd.aut
+ ///
- payload claims:
+ ///
- "type": "ePA-Authentisierung über PKI" (fixed value)
+ ///
- "iat" issued_at is the timestamp of the time of issue.
+ ///
- "challenge": freshness parameter (base64 encoded)
+ ///
- "sub": Telematik-ID ePrescription backend
+ ///
- signature: contains token signature
+ ///
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class BearerTokenType
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("bearerToken")]
+ public string BearerToken { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ ///
+ /// Error object with additional information about the occurred error
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class ErrorType
+ {
+ ///
+ /// Error condition specifier
+ ///
+
+ [System.Text.Json.Serialization.JsonPropertyName("errorCode")]
+ public string ErrorCode { get; set; }
+
+ ///
+ /// Additional details regarding the error condition (if applicable)
+ ///
+
+ [System.Text.Json.Serialization.JsonPropertyName("errorDetail")]
+ public string ErrorDetail { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ ///
+ /// A new nonce
+ ///
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class Response
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("nonce")]
+ public string Nonce { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class Response2
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("vau-np")]
+ public string VauNp { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class Response3
+ {
+ ///
+ /// A base64 encoded freshness parameter for a bearer token (health record system specific content)
+ ///
+
+ [System.Text.Json.Serialization.JsonPropertyName("freshness")]
+ public byte[] Freshness { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+ [System.CodeDom.Compiler.GeneratedCode("NJsonSchema", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class Response4
+ {
+
+ [System.Text.Json.Serialization.JsonPropertyName("vau-np")]
+ public string VauNp { get; set; }
+
+ [System.Text.Json.Serialization.JsonPropertyName("actorId")]
+ public string ActorId { get; set; }
+
+ [System.Text.Json.Serialization.JsonPropertyName("displayName")]
+ public string DisplayName { get; set; }
+
+ private System.Collections.Generic.IDictionary _additionalProperties;
+
+ [System.Text.Json.Serialization.JsonExtensionData]
+ public System.Collections.Generic.IDictionary AdditionalProperties
+ {
+ get { return _additionalProperties ?? (_additionalProperties = new System.Collections.Generic.Dictionary()); }
+ set { _additionalProperties = value; }
+ }
+
+ }
+
+
+
+ [System.CodeDom.Compiler.GeneratedCode("NSwag", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class AuthorizationServiceException : System.Exception
+ {
+ public int StatusCode { get; private set; }
+
+ public string Response { get; private set; }
+
+ public System.Collections.Generic.IReadOnlyDictionary> Headers { get; private set; }
+
+ public AuthorizationServiceException(string message, int statusCode, string response, System.Collections.Generic.IReadOnlyDictionary> headers, System.Exception innerException)
+ : base(message + "\n\nStatus: " + statusCode + "\nResponse: \n" + ((response == null) ? "(null)" : response.Substring(0, response.Length >= 512 ? 512 : response.Length)), innerException)
+ {
+ StatusCode = statusCode;
+ Response = response;
+ Headers = headers;
+ }
+
+ public override string ToString()
+ {
+ return string.Format("HTTP Response: \n\n{0}\n\n{1}", Response, base.ToString());
+ }
+ }
+
+ [System.CodeDom.Compiler.GeneratedCode("NSwag", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class AuthorizationServiceException : AuthorizationServiceException
+ {
+ public TResult Result { get; private set; }
+
+ public AuthorizationServiceException(string message, int statusCode, string response, System.Collections.Generic.IReadOnlyDictionary> headers, TResult result, System.Exception innerException)
+ : base(message, statusCode, response, headers, innerException)
+ {
+ Result = result;
+ }
+ }
+
+}
+
+#pragma warning restore 108
+#pragma warning restore 114
+#pragma warning restore 472
+#pragma warning restore 612
+#pragma warning restore 1573
+#pragma warning restore 1591
+#pragma warning restore 8073
+#pragma warning restore 3016
+#pragma warning restore 8600
+#pragma warning restore 8602
+#pragma warning restore 8603
+#pragma warning restore 8604
+#pragma warning restore 8625
\ No newline at end of file
diff --git a/lib-vau-csharp-test/EpaApiClients/Auth/nswag.json b/lib-vau-csharp-test/EpaApiClients/Auth/nswag.json
new file mode 100644
index 0000000..920512d
--- /dev/null
+++ b/lib-vau-csharp-test/EpaApiClients/Auth/nswag.json
@@ -0,0 +1,57 @@
+{
+ "runtime": "net80",
+ "documentGenerator": {
+ "fromDocument": {
+ "url": "https://raw.githubusercontent.com/gematik/ePA-Basic/refs/heads/ePA-3.0.5/src/openapi/I_Authorization_Service.yaml",
+ "newLineBehavior": "Auto"
+ }
+ },
+ "codeGenerators": {
+ "openApiToCSharpClient": {
+ "generateClientClasses": true,
+ "generateDtoTypes": true,
+ "injectHttpClient": true,
+ "disposeHttpClient": false,
+ "generateExceptionClasses": true,
+ "exceptionClass": "AuthorizationServiceException",
+ "wrapDtoExceptions": true,
+ "useHttpClientCreationMethod": false,
+ "httpClientType": "System.Net.Http.HttpClient",
+ "useHttpRequestMessageCreationMethod": false,
+ "useBaseUrl": false,
+ "generateBaseUrlProperty": false,
+ "generateSyncMethods": false,
+ "exposeJsonSerializerSettings": false,
+ "generateClientInterfaces": true,
+ "clientClassAccessModifier": "public",
+ "typeAccessModifier": "public",
+ "generateContractsOutput": false,
+ "parameterDateTimeFormat": "s",
+ "generateUpdateJsonSerializerSettingsMethod": true,
+ "serializeTypeInformation": false,
+ "queryNullValue": "",
+ "className": "AuthorizationServiceClient",
+ "operationGenerationMode": "MultipleClientsFromOperationId",
+ "generateOptionalParameters": false,
+ "generateJsonMethods": false,
+ "wrapResponses": false,
+ "generateResponseClasses": true,
+ "responseClass": "AuthorizationServiceResponse",
+ "requiredPropertiesMustBeDefined": true,
+ "dateType": "System.DateTime",
+ "dateTimeType": "System.DateTime",
+ "timeType": "System.TimeSpan",
+ "timeSpanType": "System.TimeSpan",
+ "generateDefaultValues": true,
+ "generateDataAnnotations": false,
+ "excludedTypeNames": [],
+ "handleReferences": false,
+ "namespace": "lib_vau_csharp_test.EpaApiClients.Auth",
+ "generateImmutableArrayProperties": false,
+ "generateImmutableDictionaryProperties": false,
+ "output": "AuthorizationServiceClient.cs",
+ "jsonLibrary": "SystemTextJson",
+ "jsonSerializerSettingsTransformationMethod": null
+ }
+ }
+}
diff --git a/lib-vau-csharp-test/EpaApiClients/EntitlementManagement/EntitlementManagementClient.cs b/lib-vau-csharp-test/EpaApiClients/EntitlementManagement/EntitlementManagementClient.cs
new file mode 100644
index 0000000..d57a2d3
--- /dev/null
+++ b/lib-vau-csharp-test/EpaApiClients/EntitlementManagement/EntitlementManagementClient.cs
@@ -0,0 +1,3557 @@
+//----------------------
+//
+// Generated using the NSwag toolchain v14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0)) (http://NSwag.org)
+//
+//----------------------
+
+#pragma warning disable 108 // Disable "CS0108 '{derivedDto}.ToJson()' hides inherited member '{dtoBase}.ToJson()'. Use the new keyword if hiding was intended."
+#pragma warning disable 114 // Disable "CS0114 '{derivedDto}.RaisePropertyChanged(String)' hides inherited member 'dtoBase.RaisePropertyChanged(String)'. To make the current member override that implementation, add the override keyword. Otherwise add the new keyword."
+#pragma warning disable 472 // Disable "CS0472 The result of the expression is always 'false' since a value of type 'Int32' is never equal to 'null' of type 'Int32?'
+#pragma warning disable 612 // Disable "CS0612 '...' is obsolete"
+#pragma warning disable 649 // Disable "CS0649 Field is never assigned to, and will always have its default value null"
+#pragma warning disable 1573 // Disable "CS1573 Parameter '...' has no matching param tag in the XML comment for ...
+#pragma warning disable 1591 // Disable "CS1591 Missing XML comment for publicly visible type or member ..."
+#pragma warning disable 8073 // Disable "CS8073 The result of the expression is always 'false' since a value of type 'T' is never equal to 'null' of type 'T?'"
+#pragma warning disable 3016 // Disable "CS3016 Arrays as attribute arguments is not CLS-compliant"
+#pragma warning disable 8600 // Disable "CS8600 Converting null literal or possible null value to non-nullable type"
+#pragma warning disable 8602 // Disable "CS8602 Dereference of a possibly null reference"
+#pragma warning disable 8603 // Disable "CS8603 Possible null reference return"
+#pragma warning disable 8604 // Disable "CS8604 Possible null reference argument for parameter"
+#pragma warning disable 8625 // Disable "CS8625 Cannot convert null literal to non-nullable reference type"
+#pragma warning disable 8765 // Disable "CS8765 Nullability of type of parameter doesn't match overridden member (possibly because of nullability attributes)."
+
+namespace lib_vau_csharp_test.EpaApiClients.EntitlementManagement
+{
+ using System = global::System;
+
+ [System.CodeDom.Compiler.GeneratedCode("NSwag", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial interface IEntitlementManagementClient
+ {
+ ///
+ /// (getEntitlements) Get a list of all granted entitlements, their related user and validity period
+ ///
+ ///
+ /// Get a list of actual granted entitlements of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only entitlements not expired (_validTo_).</br>
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK. Returns a list of all entitlements
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetEntitlementsAsync(string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getEntitlements) Get a list of all granted entitlements, their related user and validity period
+ ///
+ ///
+ /// Get a list of actual granted entitlements of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only entitlements not expired (_validTo_).</br>
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK. Returns a list of all entitlements
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetEntitlementsAsync(string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (setEntitlement) Set a single entitlement
+ ///
+ ///
+ /// This operation sets a new entitlement for a health record user. Entitlements refer to a specific
+ ///
user, identified by its telematik-id or kvnr and grant access to the health record for a specified
+ ///
period of time.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall apply a date-time of 9999-12-31T00:00:00.000Z to the _validTo_ claim of a request for unlimited
+ ///
entitlements.</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a DiGA (oid_diga).</br>
+ ///
A client shall (mandatory) apply an email address for notification if a _new_
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall delete an assignment of the Blocked User Policy associated to the addressee of this
+ ///
entitlement request first (entitlement is applicable for non-blocked users only).
+ ///
+ ///
**Provider**:</br>
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr1_
+ ///
if requestor is the insurant and using rule _rr2_ if requestor is a representative (requestor
+ ///
kvnr != health record identifier).
+ ///
+ ///
The HSM rules verify JWT signature, _actorID_, _kvnr_ (associated health record) and claim
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT)
+ ///
- _displayName_ of the entitled user (from JWT)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall be stored, encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
Existing entitlements (same _actorId_ and _oid_, _displayName_ ignored) shall automatically be replaced by the completed entitlement.
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- request claims _actorId_ which is _actorId_ of a static entitlement
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter), entitlement is new (i.e. does not replace any existing one) and _email_ is not in request
+ ///
- request claims _validTo_ which is not equal or in the future of current date
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already
+ ///
reached and new request does not replace existing one (i.e. requests entitlement for the 6th representative)
+ ///
+ ///
Representative Entitlement:</br>
+ ///
The maximum amount of entitled representatives is five (5). Requests exceeding this limit shall be rejected.
+ ///
A request for a new representative entitlement shall provide (mandatory) a notification mail address
+ ///
of the representative. A notification mail shall be sent to the representative using this mail address
+ ///
for information about the new established representative role for the insurant's health record, including
+ ///
kvnr and name of the insurant. The mail address provision and the notification is optional in case
+ ///
the new entitlement replaces an existing entitlement of the representative, but if address is available a
+ ///
notification shall be sent.<br>
+ ///
The email address shall be discarded after use and shall not be persistet.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| HSM verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| request claims _actorId_ which is _actorId_ of a static entitlement | 409 | invalidActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | blockedActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _email_ is not in request | 409 | noMail ||
+ ///
| request claims _validTo_ which is not equal or in the future of current date | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already reached | 409 | representativeLimit | only if limit is exceeded |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement is replaced |
+ ///
| Entitlement notification is sent | if applicable, for representative entitlement only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.2 and UC_A2.5 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SetEntitlementAsync(Body body, string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (setEntitlement) Set a single entitlement
+ ///
+ ///
+ /// This operation sets a new entitlement for a health record user. Entitlements refer to a specific
+ ///
user, identified by its telematik-id or kvnr and grant access to the health record for a specified
+ ///
period of time.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall apply a date-time of 9999-12-31T00:00:00.000Z to the _validTo_ claim of a request for unlimited
+ ///
entitlements.</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a DiGA (oid_diga).</br>
+ ///
A client shall (mandatory) apply an email address for notification if a _new_
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall delete an assignment of the Blocked User Policy associated to the addressee of this
+ ///
entitlement request first (entitlement is applicable for non-blocked users only).
+ ///
+ ///
**Provider**:</br>
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr1_
+ ///
if requestor is the insurant and using rule _rr2_ if requestor is a representative (requestor
+ ///
kvnr != health record identifier).
+ ///
+ ///
The HSM rules verify JWT signature, _actorID_, _kvnr_ (associated health record) and claim
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT)
+ ///
- _displayName_ of the entitled user (from JWT)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall be stored, encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
Existing entitlements (same _actorId_ and _oid_, _displayName_ ignored) shall automatically be replaced by the completed entitlement.
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- request claims _actorId_ which is _actorId_ of a static entitlement
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter), entitlement is new (i.e. does not replace any existing one) and _email_ is not in request
+ ///
- request claims _validTo_ which is not equal or in the future of current date
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already
+ ///
reached and new request does not replace existing one (i.e. requests entitlement for the 6th representative)
+ ///
+ ///
Representative Entitlement:</br>
+ ///
The maximum amount of entitled representatives is five (5). Requests exceeding this limit shall be rejected.
+ ///
A request for a new representative entitlement shall provide (mandatory) a notification mail address
+ ///
of the representative. A notification mail shall be sent to the representative using this mail address
+ ///
for information about the new established representative role for the insurant's health record, including
+ ///
kvnr and name of the insurant. The mail address provision and the notification is optional in case
+ ///
the new entitlement replaces an existing entitlement of the representative, but if address is available a
+ ///
notification shall be sent.<br>
+ ///
The email address shall be discarded after use and shall not be persistet.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| HSM verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| request claims _actorId_ which is _actorId_ of a static entitlement | 409 | invalidActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | blockedActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _email_ is not in request | 409 | noMail ||
+ ///
| request claims _validTo_ which is not equal or in the future of current date | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already reached | 409 | representativeLimit | only if limit is exceeded |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement is replaced |
+ ///
| Entitlement notification is sent | if applicable, for representative entitlement only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.2 and UC_A2.5 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SetEntitlementAsync(Body body, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (getEntitlement) Get a single specific entitlement
+ ///
+ ///
+ /// Get a specific granted and not expired entitlement of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The response shall contain the entitlement related to _actorId_ if available
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement (_actorId_) does not exist | 404 | noResource | applies also if _actorId_ refers to a static entitlement |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetEntitlementAsync(string actorId, string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getEntitlement) Get a single specific entitlement
+ ///
+ ///
+ /// Get a specific granted and not expired entitlement of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The response shall contain the entitlement related to _actorId_ if available
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement (_actorId_) does not exist | 404 | noResource | applies also if _actorId_ refers to a static entitlement |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetEntitlementAsync(string actorId, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (deleteEntitlement) Delete a single specific entitlement
+ ///
+ ///
+ /// Delete one existing entitlement.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
The client shall not delete static entilements. The client of a representative shall not delete
+ ///
entitlements of other representatives.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed entitlement shall be finally removed from the SecureAdminStorage.</br>
+ ///
Deletion of entitlements addressing a kvnr (actorId = kvnr, oid = oid_versicherter) shall only be
+ ///
successful if requestor is the insurant (kvnr == health record identifier) or the entitled
+ ///
representative (actorId == kvnr of requestor), i.e. a representative shall not delete entitlements
+ ///
of other representatives.</br>
+ ///
Deletion of static entitlements shall not be successful.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Requestor is representative deleting an entitlement of another representative | 403 | accessDenied ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement to delete does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Parameter _actorId_ refers to a static entitlement| 409 | requestMismatch ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The addressed assignment is removed from the associated policy ||
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task DeleteEntitlementAsync(string actorId, string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (deleteEntitlement) Delete a single specific entitlement
+ ///
+ ///
+ /// Delete one existing entitlement.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
The client shall not delete static entilements. The client of a representative shall not delete
+ ///
entitlements of other representatives.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed entitlement shall be finally removed from the SecureAdminStorage.</br>
+ ///
Deletion of entitlements addressing a kvnr (actorId = kvnr, oid = oid_versicherter) shall only be
+ ///
successful if requestor is the insurant (kvnr == health record identifier) or the entitled
+ ///
representative (actorId == kvnr of requestor), i.e. a representative shall not delete entitlements
+ ///
of other representatives.</br>
+ ///
Deletion of static entitlements shall not be successful.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Requestor is representative deleting an entitlement of another representative | 403 | accessDenied ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement to delete does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Parameter _actorId_ refers to a static entitlement| 409 | requestMismatch ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The addressed assignment is removed from the associated policy ||
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ System.Threading.Tasks.Task DeleteEntitlementAsync(string actorId, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (setEntitlementPs) Set a single entitlement with proof of audit evidence
+ ///
+ ///
+ /// Set an entitlement with predefined validity period for the requesting user in a
+ ///
treatment situation.</br>
+ ///
This operation is limited to users of the "Allowed usergroups for entitlements with proof of audit".
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use this operation in a patient presence situation only, i.e. in case
+ ///
the vsdm update service provides a proof of audit as result of a validation procedure
+ ///
of a physical health insurance card (eGK) of the health record owner.
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
This operation does not require an existing entitlement for the requesting user. Instead,
+ ///
an entitlement for this user shall be the result of this operation.
+ ///
+ ///
The lack of an existing entitlement for this operation is substituted by verifiable
+ ///
evidence (JWT) associated to the health record owner acting as health record owner's explicit
+ ///
permission for the requesting user to establish a new entitlement.
+ ///
+ ///
The operation shall count the number of failed comparison check of _hcv_ values
+ ///
and also _kvnr_ for each user (telematik-id).
+ ///
In case of more than 5 failed comparison checks (5 checks for each counter) within 1 hour
+ ///
the operation shall be aborted.
+ ///
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr3_.
+ ///
+ ///
The HSM rule verifies JWT signature, _actorID_, encryption of _kvnr_ (associated health record) and claims
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_ (_validTo_ is applied by HSM according to
+ ///
user role). HSM verifies also consistence of requestor properties vs claims in JWT signature
+ ///
and audit evidence.
+ ///
+ ///
The entitlement management enforces the requirements for rate limiting.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT or request context)
+ ///
- _displayName_ of the entitled user (from JWT or request context)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- _oid_ is not in the list of allowed usergroups (role)
+ ///
- _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- _actorId_ is referenced by a Deny List assignment
+ ///
+ ///
- if _enforce_hcv_check_ == true or _hcv_ value of JWT and _hcv_ from hsm rule _rr3_ are both available:
+ ///
- _hcv_ value of JWT does not match _hcv_ from hsm rule _rr3_
+ ///
- _x-insurantid_ does not match _kvnr_ from hsm rule _rr3_
+ ///
+ ///
If an existing and stored entitlement addressing the same user exists and if this stored
+ ///
entitlement indicates a _validTo_ which is in the future of the new entitlement's _validTo_,
+ ///
then the existing entitlement shall be kept, else the completed new entitlement shall be stored,
+ ///
encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
If the new entitlement is stored, a possibly existing entitlement is deleted automatically.</br>
+ ///
All above are success cases for this operation.
+ ///
The response of the operation shall return the current _validTo_ setting as information.
+ ///
+ ///
The addressed user of the request shall be entitled after successful operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 || even if an existing entitlement is kept due to longer validity |
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor role is not in the list of allowed usergroups | 403 | invalidOid ||
+ ///
| Token verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| hcv value of jwt does not exist | 409 | hcvMissing ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Deny List assignment | 409 | requestMismatch ||
+ ///
| Rate limiting | 423 | locked||
+ ///
| to many failed attempts | 423 | locked | _hcv_ check limit |
+ ///
| to many failed attempts | 423 | locked | _kvnr_ check limit |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement with earlier _validTo_ is replaced |
+ ///
| The user addressed by the new entitlement is entitled | successful operation only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.1 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created. User is entitled
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SetEntitlementPsAsync(EntitlementRequestType body, string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (setEntitlementPs) Set a single entitlement with proof of audit evidence
+ ///
+ ///
+ /// Set an entitlement with predefined validity period for the requesting user in a
+ ///
treatment situation.</br>
+ ///
This operation is limited to users of the "Allowed usergroups for entitlements with proof of audit".
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use this operation in a patient presence situation only, i.e. in case
+ ///
the vsdm update service provides a proof of audit as result of a validation procedure
+ ///
of a physical health insurance card (eGK) of the health record owner.
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
This operation does not require an existing entitlement for the requesting user. Instead,
+ ///
an entitlement for this user shall be the result of this operation.
+ ///
+ ///
The lack of an existing entitlement for this operation is substituted by verifiable
+ ///
evidence (JWT) associated to the health record owner acting as health record owner's explicit
+ ///
permission for the requesting user to establish a new entitlement.
+ ///
+ ///
The operation shall count the number of failed comparison check of _hcv_ values
+ ///
and also _kvnr_ for each user (telematik-id).
+ ///
In case of more than 5 failed comparison checks (5 checks for each counter) within 1 hour
+ ///
the operation shall be aborted.
+ ///
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr3_.
+ ///
+ ///
The HSM rule verifies JWT signature, _actorID_, encryption of _kvnr_ (associated health record) and claims
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_ (_validTo_ is applied by HSM according to
+ ///
user role). HSM verifies also consistence of requestor properties vs claims in JWT signature
+ ///
and audit evidence.
+ ///
+ ///
The entitlement management enforces the requirements for rate limiting.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT or request context)
+ ///
- _displayName_ of the entitled user (from JWT or request context)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- _oid_ is not in the list of allowed usergroups (role)
+ ///
- _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- _actorId_ is referenced by a Deny List assignment
+ ///
+ ///
- if _enforce_hcv_check_ == true or _hcv_ value of JWT and _hcv_ from hsm rule _rr3_ are both available:
+ ///
- _hcv_ value of JWT does not match _hcv_ from hsm rule _rr3_
+ ///
- _x-insurantid_ does not match _kvnr_ from hsm rule _rr3_
+ ///
+ ///
If an existing and stored entitlement addressing the same user exists and if this stored
+ ///
entitlement indicates a _validTo_ which is in the future of the new entitlement's _validTo_,
+ ///
then the existing entitlement shall be kept, else the completed new entitlement shall be stored,
+ ///
encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
If the new entitlement is stored, a possibly existing entitlement is deleted automatically.</br>
+ ///
All above are success cases for this operation.
+ ///
The response of the operation shall return the current _validTo_ setting as information.
+ ///
+ ///
The addressed user of the request shall be entitled after successful operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 || even if an existing entitlement is kept due to longer validity |
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor role is not in the list of allowed usergroups | 403 | invalidOid ||
+ ///
| Token verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| hcv value of jwt does not exist | 409 | hcvMissing ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Deny List assignment | 409 | requestMismatch ||
+ ///
| Rate limiting | 423 | locked||
+ ///
| to many failed attempts | 423 | locked | _hcv_ check limit |
+ ///
| to many failed attempts | 423 | locked | _kvnr_ check limit |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement with earlier _validTo_ is replaced |
+ ///
| The user addressed by the new entitlement is entitled | successful operation only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.1 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created. User is entitled
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SetEntitlementPsAsync(EntitlementRequestType body, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (getBlockedUserPolicyAssignments) get a list of blocked users
+ ///
+ ///
+ /// Get a list of actual set assignments of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only all assignments of the blocked user policy.</br>
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_| 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Ok. Returns a list of policy assignments
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentsAsync(string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getBlockedUserPolicyAssignments) get a list of blocked users
+ ///
+ ///
+ /// Get a list of actual set assignments of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only all assignments of the blocked user policy.</br>
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_| 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Ok. Returns a list of policy assignments
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentsAsync(string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (setBlockedUserPolicyAssignment) add a user to the blocked user policy
+ ///
+ ///
+ /// Set a new assignment for the blocked user policy.</br>
+ ///
The user addressed by the policy assignment can not be entitled by any means, a possibly existing
+ ///
entitlement is lost.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall set assignments for users of the allowed roles for
+ ///
user blocking only.</br>
+ ///
+ ///
**Provider**:</br>
+ ///
A valid new assignment shall be added to the blocked user policy.
+ ///
+ ///
Each new valid assigment shall be extended by a timestamp (_at_ = current date and time)
+ ///
by the server.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| The assignment parameter _oid_ is not in the list of allowd oids | 409 | requestMismatch ||
+ ///
| The assignment does yet exist (same _actorId_) | 409 | requestMismatch | avoid duplicates |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The policy assignment is extended with the timestamp and stored in SecureDataStorage ||
+ ///
| An existing entitlement for the addressed user of the assignment is deleted ||
+ ///
| An eMail is sent to the insurant, including information about the blocked user policy change| if eMail address is available |
+ ///
| A log-entry for the operation exists | all operation results |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SetBlockedUserPolicyAssignmentAsync(BlockedUserPolicyAssignmentType body, string x_insurantid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (setBlockedUserPolicyAssignment) add a user to the blocked user policy
+ ///
+ ///
+ /// Set a new assignment for the blocked user policy.</br>
+ ///
The user addressed by the policy assignment can not be entitled by any means, a possibly existing
+ ///
entitlement is lost.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall set assignments for users of the allowed roles for
+ ///
user blocking only.</br>
+ ///
+ ///
**Provider**:</br>
+ ///
A valid new assignment shall be added to the blocked user policy.
+ ///
+ ///
Each new valid assigment shall be extended by a timestamp (_at_ = current date and time)
+ ///
by the server.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| The assignment parameter _oid_ is not in the list of allowd oids | 409 | requestMismatch ||
+ ///
| The assignment does yet exist (same _actorId_) | 409 | requestMismatch | avoid duplicates |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The policy assignment is extended with the timestamp and stored in SecureDataStorage ||
+ ///
| An existing entitlement for the addressed user of the assignment is deleted ||
+ ///
| An eMail is sent to the insurant, including information about the blocked user policy change| if eMail address is available |
+ ///
| A log-entry for the operation exists | all operation results |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ System.Threading.Tasks.Task SetBlockedUserPolicyAssignmentAsync(BlockedUserPolicyAssignmentType body, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (getBlockedUserPolicyAssignment) get a particular blocked user
+ ///
+ ///
+ /// Get one particular assignment of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle .
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed assigment shall be returned.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Resource for _telematikid_ does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// TelematikID
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentAsync(string x_insurantid, string telematikid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getBlockedUserPolicyAssignment) get a particular blocked user
+ ///
+ ///
+ /// Get one particular assignment of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle .
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed assigment shall be returned.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Resource for _telematikid_ does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// TelematikID
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentAsync(string x_insurantid, string telematikid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ ///
+ /// (deleteBlockedUserPolicyAssignment) remove a user from the blocked user policy
+ ///
+ ///
+ /// Delete one existing assignment of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed assigment shall be removed from the policy.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ or _oid_ombudsstelle_| 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Assignment (_telematikid_) does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The addressed assignment is removed from the associated policy ||
+ ///
| An eMail is sent to the insurant, including information about the blocked user policy change| if eMail address is available |
+ ///
| A log-entry for the operation exists | all operation results |
+ ///
+ /// Health Record Identifier.
+ /// TelematikID
+ /// user agent information
+ /// OK. Assignment deleted
+ /// A server side error occurred.
+ System.Threading.Tasks.Task DeleteBlockedUserPolicyAssignmentAsync(string x_insurantid, string telematikid, string x_useragent);
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (deleteBlockedUserPolicyAssignment) remove a user from the blocked user policy
+ ///
+ ///
+ /// Delete one existing assignment of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed assigment shall be removed from the policy.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ or _oid_ombudsstelle_| 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Assignment (_telematikid_) does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The addressed assignment is removed from the associated policy ||
+ ///
| An eMail is sent to the insurant, including information about the blocked user policy change| if eMail address is available |
+ ///
| A log-entry for the operation exists | all operation results |
+ ///
+ /// Health Record Identifier.
+ /// TelematikID
+ /// user agent information
+ /// OK. Assignment deleted
+ /// A server side error occurred.
+ System.Threading.Tasks.Task DeleteBlockedUserPolicyAssignmentAsync(string x_insurantid, string telematikid, string x_useragent, System.Threading.CancellationToken cancellationToken);
+
+ }
+
+ [System.CodeDom.Compiler.GeneratedCode("NSwag", "14.4.0.0 (NJsonSchema v11.3.2.0 (Newtonsoft.Json v13.0.0.0))")]
+ public partial class EntitlementManagementClient : IEntitlementManagementClient
+ {
+ private System.Net.Http.HttpClient _httpClient;
+ private static System.Lazy _settings = new System.Lazy(CreateSerializerSettings, true);
+ private System.Text.Json.JsonSerializerOptions _instanceSettings;
+
+ #pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+ public EntitlementManagementClient(System.Net.Http.HttpClient httpClient)
+ #pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+ {
+ _httpClient = httpClient;
+ Initialize();
+ }
+
+ private static System.Text.Json.JsonSerializerOptions CreateSerializerSettings()
+ {
+ var settings = new System.Text.Json.JsonSerializerOptions();
+ UpdateJsonSerializerSettings(settings);
+ return settings;
+ }
+
+ protected System.Text.Json.JsonSerializerOptions JsonSerializerSettings { get { return _instanceSettings ?? _settings.Value; } }
+
+ static partial void UpdateJsonSerializerSettings(System.Text.Json.JsonSerializerOptions settings);
+
+ partial void Initialize();
+
+ partial void PrepareRequest(System.Net.Http.HttpClient client, System.Net.Http.HttpRequestMessage request, string url);
+ partial void PrepareRequest(System.Net.Http.HttpClient client, System.Net.Http.HttpRequestMessage request, System.Text.StringBuilder urlBuilder);
+ partial void ProcessResponse(System.Net.Http.HttpClient client, System.Net.Http.HttpResponseMessage response);
+
+ ///
+ /// (getEntitlements) Get a list of all granted entitlements, their related user and validity period
+ ///
+ ///
+ /// Get a list of actual granted entitlements of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only entitlements not expired (_validTo_).</br>
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK. Returns a list of all entitlements
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetEntitlementsAsync(string x_insurantid, string x_useragent)
+ {
+ return GetEntitlementsAsync(x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getEntitlements) Get a list of all granted entitlements, their related user and validity period
+ ///
+ ///
+ /// Get a list of actual granted entitlements of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only entitlements not expired (_validTo_).</br>
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK. Returns a list of all entitlements
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task GetEntitlementsAsync(string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/entitlements"
+ urlBuilder_.Append("epa/basic/api/v1/entitlements");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (setEntitlement) Set a single entitlement
+ ///
+ ///
+ /// This operation sets a new entitlement for a health record user. Entitlements refer to a specific
+ ///
user, identified by its telematik-id or kvnr and grant access to the health record for a specified
+ ///
period of time.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall apply a date-time of 9999-12-31T00:00:00.000Z to the _validTo_ claim of a request for unlimited
+ ///
entitlements.</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a DiGA (oid_diga).</br>
+ ///
A client shall (mandatory) apply an email address for notification if a _new_
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall delete an assignment of the Blocked User Policy associated to the addressee of this
+ ///
entitlement request first (entitlement is applicable for non-blocked users only).
+ ///
+ ///
**Provider**:</br>
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr1_
+ ///
if requestor is the insurant and using rule _rr2_ if requestor is a representative (requestor
+ ///
kvnr != health record identifier).
+ ///
+ ///
The HSM rules verify JWT signature, _actorID_, _kvnr_ (associated health record) and claim
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT)
+ ///
- _displayName_ of the entitled user (from JWT)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall be stored, encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
Existing entitlements (same _actorId_ and _oid_, _displayName_ ignored) shall automatically be replaced by the completed entitlement.
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- request claims _actorId_ which is _actorId_ of a static entitlement
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter), entitlement is new (i.e. does not replace any existing one) and _email_ is not in request
+ ///
- request claims _validTo_ which is not equal or in the future of current date
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already
+ ///
reached and new request does not replace existing one (i.e. requests entitlement for the 6th representative)
+ ///
+ ///
Representative Entitlement:</br>
+ ///
The maximum amount of entitled representatives is five (5). Requests exceeding this limit shall be rejected.
+ ///
A request for a new representative entitlement shall provide (mandatory) a notification mail address
+ ///
of the representative. A notification mail shall be sent to the representative using this mail address
+ ///
for information about the new established representative role for the insurant's health record, including
+ ///
kvnr and name of the insurant. The mail address provision and the notification is optional in case
+ ///
the new entitlement replaces an existing entitlement of the representative, but if address is available a
+ ///
notification shall be sent.<br>
+ ///
The email address shall be discarded after use and shall not be persistet.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| HSM verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| request claims _actorId_ which is _actorId_ of a static entitlement | 409 | invalidActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | blockedActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _email_ is not in request | 409 | noMail ||
+ ///
| request claims _validTo_ which is not equal or in the future of current date | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already reached | 409 | representativeLimit | only if limit is exceeded |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement is replaced |
+ ///
| Entitlement notification is sent | if applicable, for representative entitlement only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.2 and UC_A2.5 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SetEntitlementAsync(Body body, string x_insurantid, string x_useragent)
+ {
+ return SetEntitlementAsync(body, x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (setEntitlement) Set a single entitlement
+ ///
+ ///
+ /// This operation sets a new entitlement for a health record user. Entitlements refer to a specific
+ ///
user, identified by its telematik-id or kvnr and grant access to the health record for a specified
+ ///
period of time.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall apply a date-time of 9999-12-31T00:00:00.000Z to the _validTo_ claim of a request for unlimited
+ ///
entitlements.</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall (mandatory) apply a date-time of 9999-12-31T00:00:00Z to the _validTo_ claim of a request if the
+ ///
entitlement addresses a DiGA (oid_diga).</br>
+ ///
A client shall (mandatory) apply an email address for notification if a _new_
+ ///
entitlement addresses a user identified by a kvnr (representative).</br>
+ ///
A client shall delete an assignment of the Blocked User Policy associated to the addressee of this
+ ///
entitlement request first (entitlement is applicable for non-blocked users only).
+ ///
+ ///
**Provider**:</br>
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr1_
+ ///
if requestor is the insurant and using rule _rr2_ if requestor is a representative (requestor
+ ///
kvnr != health record identifier).
+ ///
+ ///
The HSM rules verify JWT signature, _actorID_, _kvnr_ (associated health record) and claim
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT)
+ ///
- _displayName_ of the entitled user (from JWT)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall be stored, encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
Existing entitlements (same _actorId_ and _oid_, _displayName_ ignored) shall automatically be replaced by the completed entitlement.
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- request claims _actorId_ which is _actorId_ of a static entitlement
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z
+ ///
- request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter), entitlement is new (i.e. does not replace any existing one) and _email_ is not in request
+ ///
- request claims _validTo_ which is not equal or in the future of current date
+ ///
- request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already
+ ///
reached and new request does not replace existing one (i.e. requests entitlement for the 6th representative)
+ ///
+ ///
Representative Entitlement:</br>
+ ///
The maximum amount of entitled representatives is five (5). Requests exceeding this limit shall be rejected.
+ ///
A request for a new representative entitlement shall provide (mandatory) a notification mail address
+ ///
of the representative. A notification mail shall be sent to the representative using this mail address
+ ///
for information about the new established representative role for the insurant's health record, including
+ ///
kvnr and name of the insurant. The mail address provision and the notification is optional in case
+ ///
the new entitlement replaces an existing entitlement of the representative, but if address is available a
+ ///
notification shall be sent.<br>
+ ///
The email address shall be discarded after use and shall not be persistet.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| HSM verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| request claims _actorId_ which is _actorId_ of a static entitlement | 409 | invalidActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _oid_ == oid_diga and _validTo_ is not equal 9999-12-31T00:00:00Z | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | blockedActorId ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and requestor is not insurant | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and _email_ is not in request | 409 | noMail ||
+ ///
| request claims _validTo_ which is not equal or in the future of current date | 409 | requestMismatch ||
+ ///
| request claims _actorId_ == kvnr (_oid_ == oid_versicherter) and representative limit already reached | 409 | representativeLimit | only if limit is exceeded |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement is replaced |
+ ///
| Entitlement notification is sent | if applicable, for representative entitlement only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.2 and UC_A2.5 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SetEntitlementAsync(Body body, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (body == null)
+ throw new System.ArgumentNullException("body");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ var json_ = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(body, JsonSerializerSettings);
+ var content_ = new System.Net.Http.ByteArrayContent(json_);
+ content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+ request_.Content = content_;
+ request_.Method = new System.Net.Http.HttpMethod("POST");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/entitlements"
+ urlBuilder_.Append("epa/basic/api/v1/entitlements");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 201)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (getEntitlement) Get a single specific entitlement
+ ///
+ ///
+ /// Get a specific granted and not expired entitlement of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The response shall contain the entitlement related to _actorId_ if available
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement (_actorId_) does not exist | 404 | noResource | applies also if _actorId_ refers to a static entitlement |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetEntitlementAsync(string actorId, string x_insurantid, string x_useragent)
+ {
+ return GetEntitlementAsync(actorId, x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getEntitlement) Get a single specific entitlement
+ ///
+ ///
+ /// Get a specific granted and not expired entitlement of the health record.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The response shall contain the entitlement related to _actorId_ if available
+ ///
+ ///
The operation shall NOT consider the static entitlements for a response (even if stored
+ ///
in SecureAdminStorage).
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement (_actorId_) does not exist | 404 | noResource | applies also if _actorId_ refers to a static entitlement |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch ||
+ ///
| Any other error | 500 | internalError ||
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task GetEntitlementAsync(string actorId, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (actorId == null)
+ throw new System.ArgumentNullException("actorId");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/entitlements/{actorId}"
+ urlBuilder_.Append("epa/basic/api/v1/entitlements/");
+ urlBuilder_.Append(System.Uri.EscapeDataString(ConvertToString(actorId, System.Globalization.CultureInfo.InvariantCulture)));
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (deleteEntitlement) Delete a single specific entitlement
+ ///
+ ///
+ /// Delete one existing entitlement.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
The client shall not delete static entilements. The client of a representative shall not delete
+ ///
entitlements of other representatives.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed entitlement shall be finally removed from the SecureAdminStorage.</br>
+ ///
Deletion of entitlements addressing a kvnr (actorId = kvnr, oid = oid_versicherter) shall only be
+ ///
successful if requestor is the insurant (kvnr == health record identifier) or the entitled
+ ///
representative (actorId == kvnr of requestor), i.e. a representative shall not delete entitlements
+ ///
of other representatives.</br>
+ ///
Deletion of static entitlements shall not be successful.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Requestor is representative deleting an entitlement of another representative | 403 | accessDenied ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement to delete does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Parameter _actorId_ refers to a static entitlement| 409 | requestMismatch ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The addressed assignment is removed from the associated policy ||
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task DeleteEntitlementAsync(string actorId, string x_insurantid, string x_useragent)
+ {
+ return DeleteEntitlementAsync(actorId, x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (deleteEntitlement) Delete a single specific entitlement
+ ///
+ ///
+ /// Delete one existing entitlement.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter.
+ ///
+ ///
**Client**:</br>
+ ///
The client shall not delete static entilements. The client of a representative shall not delete
+ ///
entitlements of other representatives.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed entitlement shall be finally removed from the SecureAdminStorage.</br>
+ ///
Deletion of entitlements addressing a kvnr (actorId = kvnr, oid = oid_versicherter) shall only be
+ ///
successful if requestor is the insurant (kvnr == health record identifier) or the entitled
+ ///
representative (actorId == kvnr of requestor), i.e. a representative shall not delete entitlements
+ ///
of other representatives.</br>
+ ///
Deletion of static entitlements shall not be successful.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 204 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
+ ///
| Requestor is representative deleting an entitlement of another representative | 403 | accessDenied ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Entitlement to delete does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Parameter _actorId_ refers to a static entitlement| 409 | requestMismatch ||
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The addressed assignment is removed from the associated policy ||
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// OK
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task DeleteEntitlementAsync(string actorId, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (actorId == null)
+ throw new System.ArgumentNullException("actorId");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("DELETE");
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/entitlements/{actorId}"
+ urlBuilder_.Append("epa/basic/api/v1/entitlements/");
+ urlBuilder_.Append(System.Uri.EscapeDataString(ConvertToString(actorId, System.Globalization.CultureInfo.InvariantCulture)));
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 204)
+ {
+ return;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (setEntitlementPs) Set a single entitlement with proof of audit evidence
+ ///
+ ///
+ /// Set an entitlement with predefined validity period for the requesting user in a
+ ///
treatment situation.</br>
+ ///
This operation is limited to users of the "Allowed usergroups for entitlements with proof of audit".
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use this operation in a patient presence situation only, i.e. in case
+ ///
the vsdm update service provides a proof of audit as result of a validation procedure
+ ///
of a physical health insurance card (eGK) of the health record owner.
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
This operation does not require an existing entitlement for the requesting user. Instead,
+ ///
an entitlement for this user shall be the result of this operation.
+ ///
+ ///
The lack of an existing entitlement for this operation is substituted by verifiable
+ ///
evidence (JWT) associated to the health record owner acting as health record owner's explicit
+ ///
permission for the requesting user to establish a new entitlement.
+ ///
+ ///
The operation shall count the number of failed comparison check of _hcv_ values
+ ///
and also _kvnr_ for each user (telematik-id).
+ ///
In case of more than 5 failed comparison checks (5 checks for each counter) within 1 hour
+ ///
the operation shall be aborted.
+ ///
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr3_.
+ ///
+ ///
The HSM rule verifies JWT signature, _actorID_, encryption of _kvnr_ (associated health record) and claims
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_ (_validTo_ is applied by HSM according to
+ ///
user role). HSM verifies also consistence of requestor properties vs claims in JWT signature
+ ///
and audit evidence.
+ ///
+ ///
The entitlement management enforces the requirements for rate limiting.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT or request context)
+ ///
- _displayName_ of the entitled user (from JWT or request context)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- _oid_ is not in the list of allowed usergroups (role)
+ ///
- _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- _actorId_ is referenced by a Deny List assignment
+ ///
+ ///
- if _enforce_hcv_check_ == true or _hcv_ value of JWT and _hcv_ from hsm rule _rr3_ are both available:
+ ///
- _hcv_ value of JWT does not match _hcv_ from hsm rule _rr3_
+ ///
- _x-insurantid_ does not match _kvnr_ from hsm rule _rr3_
+ ///
+ ///
If an existing and stored entitlement addressing the same user exists and if this stored
+ ///
entitlement indicates a _validTo_ which is in the future of the new entitlement's _validTo_,
+ ///
then the existing entitlement shall be kept, else the completed new entitlement shall be stored,
+ ///
encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
If the new entitlement is stored, a possibly existing entitlement is deleted automatically.</br>
+ ///
All above are success cases for this operation.
+ ///
The response of the operation shall return the current _validTo_ setting as information.
+ ///
+ ///
The addressed user of the request shall be entitled after successful operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 || even if an existing entitlement is kept due to longer validity |
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor role is not in the list of allowed usergroups | 403 | invalidOid ||
+ ///
| Token verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| hcv value of jwt does not exist | 409 | hcvMissing ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Deny List assignment | 409 | requestMismatch ||
+ ///
| Rate limiting | 423 | locked||
+ ///
| to many failed attempts | 423 | locked | _hcv_ check limit |
+ ///
| to many failed attempts | 423 | locked | _kvnr_ check limit |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement with earlier _validTo_ is replaced |
+ ///
| The user addressed by the new entitlement is entitled | successful operation only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.1 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created. User is entitled
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SetEntitlementPsAsync(EntitlementRequestType body, string x_insurantid, string x_useragent)
+ {
+ return SetEntitlementPsAsync(body, x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (setEntitlementPs) Set a single entitlement with proof of audit evidence
+ ///
+ ///
+ /// Set an entitlement with predefined validity period for the requesting user in a
+ ///
treatment situation.</br>
+ ///
This operation is limited to users of the "Allowed usergroups for entitlements with proof of audit".
+ ///
+ ///
**Client**:</br>
+ ///
A client shall use this operation in a patient presence situation only, i.e. in case
+ ///
the vsdm update service provides a proof of audit as result of a validation procedure
+ ///
of a physical health insurance card (eGK) of the health record owner.
+ ///
+ ///
+ ///
**Provider**:</br>
+ ///
This operation does not require an existing entitlement for the requesting user. Instead,
+ ///
an entitlement for this user shall be the result of this operation.
+ ///
+ ///
The lack of an existing entitlement for this operation is substituted by verifiable
+ ///
evidence (JWT) associated to the health record owner acting as health record owner's explicit
+ ///
permission for the requesting user to establish a new entitlement.
+ ///
+ ///
The operation shall count the number of failed comparison check of _hcv_ values
+ ///
and also _kvnr_ for each user (telematik-id).
+ ///
In case of more than 5 failed comparison checks (5 checks for each counter) within 1 hour
+ ///
the operation shall be aborted.
+ ///
+ ///
The received JWT shall be passed to the HSM for entitlement verification, using rule _rr3_.
+ ///
+ ///
The HSM rule verifies JWT signature, _actorID_, encryption of _kvnr_ (associated health record) and claims
+ ///
in a CMAC secured result _actorId_, _kvnr_ and _validTo_ (_validTo_ is applied by HSM according to
+ ///
user role). HSM verifies also consistence of requestor properties vs claims in JWT signature
+ ///
and audit evidence.
+ ///
+ ///
The entitlement management enforces the requirements for rate limiting.
+ ///
+ ///
The CMAC secured result shall be completed with the following data:
+ ///
- _oid_ of the entitled user (from JWT or request context)
+ ///
- _displayName_ of the entitled user (from JWT or request context)
+ ///
- _issued-at_ current system time
+ ///
- _issued-actorId_ of requestor (from request context)
+ ///
- _issued-displayName_ of requestor (from request context)
+ ///
+ ///
The completed entitlement shall NOT be stored and cause operation abortion in cases:
+ ///
- _oid_ is not in the list of allowed usergroups (role)
+ ///
- _actorId_ is referenced by a Blocked User Policy assignment
+ ///
- _actorId_ is referenced by a Deny List assignment
+ ///
+ ///
- if _enforce_hcv_check_ == true or _hcv_ value of JWT and _hcv_ from hsm rule _rr3_ are both available:
+ ///
- _hcv_ value of JWT does not match _hcv_ from hsm rule _rr3_
+ ///
- _x-insurantid_ does not match _kvnr_ from hsm rule _rr3_
+ ///
+ ///
If an existing and stored entitlement addressing the same user exists and if this stored
+ ///
entitlement indicates a _validTo_ which is in the future of the new entitlement's _validTo_,
+ ///
then the existing entitlement shall be kept, else the completed new entitlement shall be stored,
+ ///
encrypted by SecureAdminStorageKey of the health record.</br>
+ ///
If the new entitlement is stored, a possibly existing entitlement is deleted automatically.</br>
+ ///
All above are success cases for this operation.
+ ///
The response of the operation shall return the current _validTo_ setting as information.
+ ///
+ ///
The addressed user of the request shall be entitled after successful operation.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 || even if an existing entitlement is kept due to longer validity |
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Requestor role is not in the list of allowed usergroups | 403 | invalidOid ||
+ ///
| Token verification failed | 403 | invalidToken ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| hcv value of jwt does not exist | 409 | hcvMissing ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Blocked User Policy assignment | 409 | requestMismatch ||
+ ///
| request claims _actorId_ and _actorId_ is referenced by a Deny List assignment | 409 | requestMismatch ||
+ ///
| Rate limiting | 423 | locked||
+ ///
| to many failed attempts | 423 | locked | _hcv_ check limit |
+ ///
| to many failed attempts | 423 | locked | _kvnr_ check limit |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The valid and completed entitlement is stored in SecureDataStorage | a possible existing entitlement with earlier _validTo_ is replaced |
+ ///
| The user addressed by the new entitlement is entitled | successful operation only |
+ ///
| A log-entry for the operation exists | successful operation only |
+ ///
| The raw-data of the operation is collected and associated to _useragent_ | for any operation result according to gemSpec_Perf UC_A2.1 |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created. User is entitled
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SetEntitlementPsAsync(EntitlementRequestType body, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (body == null)
+ throw new System.ArgumentNullException("body");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ var json_ = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(body, JsonSerializerSettings);
+ var content_ = new System.Net.Http.ByteArrayContent(json_);
+ content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+ request_.Content = content_;
+ request_.Method = new System.Net.Http.HttpMethod("POST");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/ps/entitlements"
+ urlBuilder_.Append("epa/basic/api/v1/ps/entitlements");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 201)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 423)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Locked.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (getBlockedUserPolicyAssignments) get a list of blocked users
+ ///
+ ///
+ /// Get a list of actual set assignments of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only all assignments of the blocked user policy.</br>
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_| 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Ok. Returns a list of policy assignments
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentsAsync(string x_insurantid, string x_useragent)
+ {
+ return GetBlockedUserPolicyAssignmentsAsync(x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getBlockedUserPolicyAssignments) get a list of blocked users
+ ///
+ ///
+ /// Get a list of actual set assignments of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Provider**:</br>
+ ///
The returned list shall contain only all assignments of the blocked user policy.</br>
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_| 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Ok. Returns a list of policy assignments
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentsAsync(string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ request_.Method = new System.Net.Http.HttpMethod("GET");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/blockedusers"
+ urlBuilder_.Append("epa/basic/api/v1/blockedusers");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 200)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (setBlockedUserPolicyAssignment) add a user to the blocked user policy
+ ///
+ ///
+ /// Set a new assignment for the blocked user policy.</br>
+ ///
The user addressed by the policy assignment can not be entitled by any means, a possibly existing
+ ///
entitlement is lost.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall set assignments for users of the allowed roles for
+ ///
user blocking only.</br>
+ ///
+ ///
**Provider**:</br>
+ ///
A valid new assignment shall be added to the blocked user policy.
+ ///
+ ///
Each new valid assigment shall be extended by a timestamp (_at_ = current date and time)
+ ///
by the server.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| The assignment parameter _oid_ is not in the list of allowd oids | 409 | requestMismatch ||
+ ///
| The assignment does yet exist (same _actorId_) | 409 | requestMismatch | avoid duplicates |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The policy assignment is extended with the timestamp and stored in SecureDataStorage ||
+ ///
| An existing entitlement for the addressed user of the assignment is deleted ||
+ ///
| An eMail is sent to the insurant, including information about the blocked user policy change| if eMail address is available |
+ ///
| A log-entry for the operation exists | all operation results |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task SetBlockedUserPolicyAssignmentAsync(BlockedUserPolicyAssignmentType body, string x_insurantid, string x_useragent)
+ {
+ return SetBlockedUserPolicyAssignmentAsync(body, x_insurantid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (setBlockedUserPolicyAssignment) add a user to the blocked user policy
+ ///
+ ///
+ /// Set a new assignment for the blocked user policy.</br>
+ ///
The user addressed by the policy assignment can not be entitled by any means, a possibly existing
+ ///
entitlement is lost.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle.
+ ///
+ ///
**Client**:</br>
+ ///
A client shall set assignments for users of the allowed roles for
+ ///
user blocking only.</br>
+ ///
+ ///
**Provider**:</br>
+ ///
A valid new assignment shall be added to the blocked user policy.
+ ///
+ ///
Each new valid assigment shall be extended by a timestamp (_at_ = current date and time)
+ ///
by the server.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 201 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not _oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| The assignment parameter _oid_ is not in the list of allowd oids | 409 | requestMismatch ||
+ ///
| The assignment does yet exist (same _actorId_) | 409 | requestMismatch | avoid duplicates |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| The policy assignment is extended with the timestamp and stored in SecureDataStorage ||
+ ///
| An existing entitlement for the addressed user of the assignment is deleted ||
+ ///
| An eMail is sent to the insurant, including information about the blocked user policy change| if eMail address is available |
+ ///
| A log-entry for the operation exists | all operation results |
+ ///
+ /// Health Record Identifier.
+ /// user agent information
+ /// Created
+ /// A server side error occurred.
+ public virtual async System.Threading.Tasks.Task SetBlockedUserPolicyAssignmentAsync(BlockedUserPolicyAssignmentType body, string x_insurantid, string x_useragent, System.Threading.CancellationToken cancellationToken)
+ {
+ if (body == null)
+ throw new System.ArgumentNullException("body");
+
+ var client_ = _httpClient;
+ var disposeClient_ = false;
+ try
+ {
+ using (var request_ = new System.Net.Http.HttpRequestMessage())
+ {
+
+ if (x_insurantid == null)
+ throw new System.ArgumentNullException("x_insurantid");
+ request_.Headers.TryAddWithoutValidation("x-insurantid", ConvertToString(x_insurantid, System.Globalization.CultureInfo.InvariantCulture));
+
+ if (x_useragent == null)
+ throw new System.ArgumentNullException("x_useragent");
+ request_.Headers.TryAddWithoutValidation("x-useragent", ConvertToString(x_useragent, System.Globalization.CultureInfo.InvariantCulture));
+ var json_ = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(body, JsonSerializerSettings);
+ var content_ = new System.Net.Http.ByteArrayContent(json_);
+ content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+ request_.Content = content_;
+ request_.Method = new System.Net.Http.HttpMethod("POST");
+ request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("application/json"));
+
+ var urlBuilder_ = new System.Text.StringBuilder();
+
+ // Operation Path: "epa/basic/api/v1/blockedusers"
+ urlBuilder_.Append("epa/basic/api/v1/blockedusers");
+
+ PrepareRequest(client_, request_, urlBuilder_);
+
+ var url_ = urlBuilder_.ToString();
+ request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+ PrepareRequest(client_, request_, url_);
+
+ var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+ var disposeResponse_ = true;
+ try
+ {
+ var headers_ = new System.Collections.Generic.Dictionary>();
+ foreach (var item_ in response_.Headers)
+ headers_[item_.Key] = item_.Value;
+ if (response_.Content != null && response_.Content.Headers != null)
+ {
+ foreach (var item_ in response_.Content.Headers)
+ headers_[item_.Key] = item_.Value;
+ }
+
+ ProcessResponse(client_, response_);
+
+ var status_ = (int)response_.StatusCode;
+ if (status_ == 201)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ return objectResponse_.Object;
+ }
+ else
+ if (status_ == 400)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Bad Request.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 403)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Forbidden.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 404)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Not found.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 409)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Conflict.", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ if (status_ == 500)
+ {
+ var objectResponse_ = await ReadObjectResponseAsync(response_, headers_, cancellationToken).ConfigureAwait(false);
+ if (objectResponse_.Object == null)
+ {
+ throw new EntitlementManagementException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+ }
+ throw new EntitlementManagementException("Internal Server Error", status_, objectResponse_.Text, headers_, objectResponse_.Object, null);
+ }
+ else
+ {
+ var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+ throw new EntitlementManagementException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+ }
+ }
+ finally
+ {
+ if (disposeResponse_)
+ response_.Dispose();
+ }
+ }
+ }
+ finally
+ {
+ if (disposeClient_)
+ client_.Dispose();
+ }
+ }
+
+ ///
+ /// (getBlockedUserPolicyAssignment) get a particular blocked user
+ ///
+ ///
+ /// Get one particular assignment of the blocked user policy.</br>
+ ///
This operation is limited to entitled users of role oid_versicherter and oid_ombudsstelle .
+ ///
+ ///
**Client**:</br>
+ ///
no recommendations.
+ ///
+ ///
**Provider**:</br>
+ ///
The addressed assigment shall be returned.
+ ///
+ ///
| Conditions | Status code | Error code | Remarks |
+ ///
|------------|-------------|------------|---------|
+ ///
| Successful operation | 200 |||
+ ///
| Request does not match schema | 400 | malformedRequest ||
+ ///
| Requestor not authorized | 403 | invalAuth | no user session with valid ID-Token available |
+ ///
| Device registration does not exist | 403 | unregisteredDevice | if requestor role is oid_versicherter only |
+ ///
| Requestor has no valid entitlement | 403 | notEntitled ||
+ ///
| Requestor role is not oid_versicherter_ or _oid_ombudsstelle_ | 403 | invalidOid ||
+ ///
| Health record does not exist | 404 | noHealthRecord | _insurantid_ unknown |
+ ///
| Resource for _telematikid_ does not exist | 404 | noResource ||
+ ///
| Health record is not in state ACTIVATED | 409 | statusMismatch | (see 'Retry interval') |
+ ///
| Any other error | 500 | internalError | (see 'Retry interval') |
+ ///
+ ///
</br>
+ ///
| Postconditions | Remarks |
+ ///
|---------------------------------------|---------|
+ ///
| none ||
+ ///
+ /// Health Record Identifier.
+ /// TelematikID
+ /// user agent information
+ /// Ok.
+ /// A server side error occurred.
+ public virtual System.Threading.Tasks.Task GetBlockedUserPolicyAssignmentAsync(string x_insurantid, string telematikid, string x_useragent)
+ {
+ return GetBlockedUserPolicyAssignmentAsync(x_insurantid, telematikid, x_useragent, System.Threading.CancellationToken.None);
+ }
+
+ /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+ ///
+ /// (getBlockedUserPolicyAssignment) get a particular blocked user
+ ///
+ ///
+ /// Get one particular assignment of the blocked user policy.</br>
+ ///