microsoft
diff --git a/‎src/Microsoft.Health.Fhir.Api/Features/SMART/SmartClinicalScopesMiddleware.cs‎
Lines changed: 65 additions & 16 deletions b/‎src/Microsoft.Health.Fhir.Api/Features/SMART/SmartClinicalScopesMiddleware.cs‎
Lines changed: 65 additions & 16 deletions
diff --git a/‎src/Microsoft.Health.Fhir.Core/Features/Conformance/GetSmartConfigurationHandler.cs‎
Lines changed: 13 additions & 1 deletion b/‎src/Microsoft.Health.Fhir.Core/Features/Conformance/GetSmartConfigurationHandler.cs‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/Microsoft.Health.Fhir.Core/Features/Operations/SmartConfigurationResult.cs‎
Lines changed: 15 additions & 0 deletions b/‎src/Microsoft.Health.Fhir.Core/Features/Operations/SmartConfigurationResult.cs‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/Microsoft.Health.Fhir.Core/Features/Security/DataActions.cs‎
Lines changed: 10 additions & 3 deletions b/‎src/Microsoft.Health.Fhir.Core/Features/Security/DataActions.cs‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎src/Microsoft.Health.Fhir.Core/Messages/Get/GetSmartConfigurationResponse.cs‎
Lines changed: 14 additions & 0 deletions b/‎src/Microsoft.Health.Fhir.Core/Messages/Get/GetSmartConfigurationResponse.cs‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/Microsoft.Health.Fhir.Shared.Api.UnitTests/Features/SMART/SmartClinicalScopesMiddlewareTests.cs‎
Lines changed: 45 additions & 0 deletions b/‎src/Microsoft.Health.Fhir.Shared.Api.UnitTests/Features/SMART/SmartClinicalScopesMiddlewareTests.cs‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎src/Microsoft.Health.Fhir.Shared.Core.UnitTests/Features/Conformance/GetSmartConfigurationHandlerTests.cs‎
Lines changed: 3 additions & 0 deletions b/‎src/Microsoft.Health.Fhir.Shared.Core.UnitTests/Features/Conformance/GetSmartConfigurationHandlerTests.cs‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Microsoft.Health.Fhir.Shared.Core.UnitTests/Features/Search/SearchResourceHandlerTests.cs‎
Lines changed: 101 additions & 0 deletions b/‎src/Microsoft.Health.Fhir.Shared.Core.UnitTests/Features/Search/SearchResourceHandlerTests.cs‎
Lines changed: 101 additions & 0 deletions
@@ -28,11 +28,12 @@ namespace Microsoft.Health.Fhir.Api.Features.Smart
     public class SmartClinicalScopesMiddleware
     {
         private readonly RequestDelegate _next;
-        private const string AllDataActions = "all";
         private readonly ILogger<SmartClinicalScopesMiddleware> _logger;
 
-        // Regex based on SMART on FHIR clinical scopes v1.0, http://hl7.org/fhir/smart-app-launch/1.0.0/scopes-and-launch-context/index.html#clinical-scope-syntax
-        private static readonly Regex ClinicalScopeRegEx = new Regex(@"(^|\s+)(?<id>patient|user|system)(/|\$|\.)(?<resource>\*|([a-zA-Z]*)|all)\.(?<accessLevel>read|write|\*|all)", RegexOptions.Compiled);
+        // Regex based on SMART on FHIR clinical scopes v1.0 and v2.0
+        // v1: http://hl7.org/fhir/smart-app-launch/1.0.0/scopes-and-launch-context/index.html#clinical-scope-syntax
+        // v2: http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html#scopes-for-requesting-fhir-resources
+        private static readonly Regex ClinicalScopeRegEx = new Regex(@"(^|\s+)(?<id>patient|user|system)(/|\$|\.)(?<resource>\*|([a-zA-Z]*)|all)\.(?<accessLevel>read|write|\*|all|[cruds]+)", RegexOptions.Compiled);
 
         public SmartClinicalScopesMiddleware(RequestDelegate next, ILogger<SmartClinicalScopesMiddleware> logger)
         {
@@ -43,6 +44,66 @@ public SmartClinicalScopesMiddleware(RequestDelegate next, ILogger<SmartClinical
             _next = next;
         }
 
+        /// <summary>
+        /// Parse SMART scope permissions supporting both v1 and v2 formats.
+        /// v1: read, write, *, all
+        /// v2: c (create), r (read), u (update), d (delete), s (search)
+        /// </summary>
+        /// <param name="accessLevel">The access level from the scope (e.g., "read", "rs", "cruds")</param>
+        /// <returns>DataActions representing the permissions</returns>
+        private static DataActions ParseScopePermissions(string accessLevel)
+        {
+            if (string.IsNullOrEmpty(accessLevel))
+            {
+                return DataActions.None;
+            }
+
+            // Handle v1 scope formats first for backward compatibility
+            switch (accessLevel.ToLowerInvariant())
+            {
+                case "read":
+                    // v1 read includes both read and search permissions
+                    return DataActions.Read | DataActions.Export | DataActions.Search;
+                case "write":
+                    // v1 write includes create, update, delete, and legacy write permissions
+                    return DataActions.Write | DataActions.Create | DataActions.Update | DataActions.Delete;
+                case "*":
+                case "all":
+                    // Full access includes all permissions
+                    return DataActions.Read | DataActions.Write | DataActions.Export | DataActions.Search |
+                           DataActions.Create | DataActions.Update | DataActions.Delete;
+            }
+
+            // Handle v2 scope format (e.g., "rs", "cruds")
+            var permissions = DataActions.None;
+            foreach (char permission in accessLevel.ToLowerInvariant())
+            {
+                switch (permission)
+                {
+                    case 'c':
+                        permissions |= DataActions.Create; // SMART v2 granular create permission
+                        break;
+                    case 'r':
+                        permissions |= DataActions.ReadV2 | DataActions.Export; // SMART v2 read-only (no search)
+                        break;
+                    case 'u':
+                        permissions |= DataActions.Update; // SMART v2 granular update permission
+                        break;
+                    case 'd':
+                        permissions |= DataActions.Delete; // SMART v2 granular delete permission
+                        break;
+                    case 's':
+                        permissions |= DataActions.Search; // Search is a separate permission in v2
+                        break;
+                    default:
+                        // Unknown permission character - log warning but continue
+                        break;
+                }
+            }
+
+            return permissions;
+        }
+
         public async Task Invoke(
             HttpContext context,
             RequestContextAccessor<IFhirRequestContext> fhirRequestContextAccessor,
@@ -96,19 +157,7 @@ public async Task Invoke(
                         var resource = match.Groups["resource"]?.Value;
                         var accessLevel = match.Groups["accessLevel"]?.Value;
 
-                        switch (accessLevel)
-                        {
-                            case "read":
-                                permittedDataActions = DataActions.Read | DataActions.Export;
-                                break;
-                            case "write":
-                                permittedDataActions = DataActions.Write;
-                                break;
-                            case "*":
-                            case AllDataActions:
-                                permittedDataActions = DataActions.Read | DataActions.Write | DataActions.Export;
-                                break;
-                        }
+                        permittedDataActions = ParseScopePermissions(accessLevel);
 
                         if (!string.IsNullOrEmpty(resource)
                             && !string.IsNullOrEmpty(id))
 
@@ -54,7 +54,19 @@ protected GetSmartConfigurationResponse Handle(GetSmartConfigurationRequest requ
                         "permission-user",
                     };
 
-                    return new GetSmartConfigurationResponse(authorizationEndpoint, tokenEndpoint, capabilities);
+                    // Add SMART v2 scope support - these are the core scopes supported natively by the FHIR service
+                    ICollection<string> scopesSupported = new List<string>
+                    {
+                        // Standard OAuth/OIDC scopes
+                        "openid",
+                        "fhirUser",
+                        "launch",
+                        "launch/patient",
+                        "offline_access",
+                        "online_access",
+                    };
+
+                    return new GetSmartConfigurationResponse(authorizationEndpoint, tokenEndpoint, capabilities, scopesSupported);
                 }
                 catch (Exception e) when (e is ArgumentNullException || e is UriFormatException)
                 {
 
@@ -26,6 +26,18 @@ public SmartConfigurationResult(Uri authorizationEndpoint, Uri tokenEndpoint, IC
             Capabilities = capabilities;
         }
 
+        public SmartConfigurationResult(Uri authorizationEndpoint, Uri tokenEndpoint, ICollection<string> capabilities, ICollection<string> scopesSupported)
+        {
+            EnsureArg.IsNotNull(authorizationEndpoint, nameof(authorizationEndpoint));
+            EnsureArg.IsNotNull(tokenEndpoint, nameof(tokenEndpoint));
+            EnsureArg.IsNotNull(capabilities, nameof(capabilities));
+
+            AuthorizationEndpoint = authorizationEndpoint;
+            TokenEndpoint = tokenEndpoint;
+            Capabilities = capabilities;
+            ScopesSupported = scopesSupported;
+        }
+
         [JsonConstructor]
         public SmartConfigurationResult()
         {
@@ -39,5 +51,8 @@ public SmartConfigurationResult()
 
         [JsonProperty("capabilities")]
         public ICollection<string> Capabilities { get; private set; }
+
+        [JsonProperty("scopes_supported")]
+        public ICollection<string> ScopesSupported { get; private set; }
     }
 }
@@ -15,8 +15,9 @@ public enum DataActions : ulong
     {
         None = 0,
 
-        Read = 1,
-        Write = 1 << 1,
+        // Legacy permissions (maintained for backward compatibility)
+        Read = 1 << 0, // Legacy read permission (includes search capability for SMART v1 compatibility)
+        Write = 1 << 1, // Legacy write permission (kept for backward compatibility)
         Delete = 1 << 2,
         HardDelete = 1 << 3,
         Export = 1 << 4,
@@ -28,9 +29,15 @@ public enum DataActions : ulong
         SearchParameter = 1 << 10,
         BulkOperator = 1 << 11,
 
+        // SMART v2 granular permissions
+        Search = 1 << 12, // SMART v2 search permission
+        ReadV2 = 1 << 13, // SMART v2 read permission (read-only, no search)
+        Create = 1 << 14, // SMART v2 create permission
+        Update = 1 << 15, // SMART v2 update permission
+
         Smart = 1 << 30, // Do not include Smart in the '*' case.  We only want smart for a user if explicitly added to the role or user
 
         [EnumMember(Value = "*")]
-        All = (BulkOperator << 1) - 1,
+        All = (Update << 1) - 1,
     }
 }
@@ -22,10 +22,24 @@ public GetSmartConfigurationResponse(Uri authorizationEndpoint, Uri tokenEndpoin
             Capabilities = capabilities;
         }
 
+        public GetSmartConfigurationResponse(Uri authorizationEndpoint, Uri tokenEndpoint, ICollection<string> capabilities, ICollection<string> scopesSupported)
+        {
+            EnsureArg.IsNotNull(authorizationEndpoint, nameof(authorizationEndpoint));
+            EnsureArg.IsNotNull(tokenEndpoint, nameof(tokenEndpoint));
+            EnsureArg.IsNotNull(capabilities, nameof(capabilities));
+
+            AuthorizationEndpoint = authorizationEndpoint;
+            TokenEndpoint = tokenEndpoint;
+            Capabilities = capabilities;
+            ScopesSupported = scopesSupported;
+        }
+
         public Uri AuthorizationEndpoint { get; }
 
         public Uri TokenEndpoint { get; }
 
         public ICollection<string> Capabilities { get; }
+
+        public ICollection<string> ScopesSupported { get; }
     }
 }
@@ -419,6 +419,51 @@ public static IEnumerable<object[]> GetTestScopes()
                     new ScopeRestriction("Encounter", DataActions.Read | DataActions.Write | DataActions.Export, "user"),
                 },
             };
+
+            // SMART v2 scope format tests
+            yield return new object[] { "patient/Patient.rs", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.ReadV2 | DataActions.Export | DataActions.Search, "patient") } };
+            yield return new object[] { "patient/Patient.r", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.ReadV2 | DataActions.Export, "patient") } };
+            yield return new object[] { "patient/Patient.s", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Search, "patient") } };
+            yield return new object[] { "patient/Patient.c", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Create, "patient") } };
+            yield return new object[] { "patient/all.c", new List<ScopeRestriction>() { new ScopeRestriction(KnownResourceTypes.All, DataActions.Create, "patient") } };
+            yield return new object[] { "patient.all.c", new List<ScopeRestriction>() { new ScopeRestriction(KnownResourceTypes.All, DataActions.Create, "patient") } };
+            yield return new object[] { "patient/Patient.u", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Update, "patient") } };
+            yield return new object[] { "patient/Patient.d", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Delete, "patient") } };
+            yield return new object[] { "patient/Patient.cruds", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Create | DataActions.Update | DataActions.Delete | DataActions.ReadV2 | DataActions.Export | DataActions.Search, "patient") } };
+            yield return new object[] { "user/*.rs", new List<ScopeRestriction>() { new ScopeRestriction(KnownResourceTypes.All, DataActions.ReadV2 | DataActions.Export | DataActions.Search, "user") } };
+            yield return new object[]
+            {
+                "patient/Patient.rs user/Observation.cud",
+                new List<ScopeRestriction>()
+                {
+                    new ScopeRestriction("Patient", DataActions.ReadV2 | DataActions.Export | DataActions.Search, "patient"),
+                    new ScopeRestriction("Observation", DataActions.Create | DataActions.Update | DataActions.Delete, "user"),
+                },
+            };
+
+            // Test v1 vs v2 behavior: v1 .read includes search, v2 .r does not include search
+            yield return new object[] { "patient/Patient.read", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Read | DataActions.Export | DataActions.Search, "patient") } };
+            yield return new object[]
+            {
+                "patient/Patient.read patient/Observation.r",
+                new List<ScopeRestriction>()
+                {
+                    new ScopeRestriction("Patient", DataActions.Read | DataActions.Export | DataActions.Search, "patient"),
+                    new ScopeRestriction("Observation", DataActions.ReadV2 | DataActions.Export, "patient"),
+                },
+            };
+
+            // Test v1 vs v2 write behavior: v1 .write includes all write operations, v2 granular permissions
+            yield return new object[] { "patient/Patient.write", new List<ScopeRestriction>() { new ScopeRestriction("Patient", DataActions.Write | DataActions.Create | DataActions.Update | DataActions.Delete, "patient") } };
+            yield return new object[]
+            {
+                "patient/Patient.write user/Observation.cu",
+                new List<ScopeRestriction>()
+                {
+                    new ScopeRestriction("Patient", DataActions.Write | DataActions.Create | DataActions.Update | DataActions.Delete, "patient"),
+                    new ScopeRestriction("Observation", DataActions.Create | DataActions.Update, "user"),
+                },
+            };
         }
 
         private static async Task<AuthorizationConfiguration> LoadRoles(AuthorizationConfiguration authConfig)
 
@@ -64,6 +64,9 @@ public async Task GivenASmartConfigurationHandler_WhenSecurityConfigurationEnabl
                         "permission-patient",
                         "permission-user",
                     });
+
+            // Verify SMART v2 scopes are included
+            Assert.NotNull(response.ScopesSupported);
         }
 
         [Fact]
 
@@ -6,12 +6,17 @@
 using System;
 using System.Linq;
 using System.Threading;
+using System.Threading.Tasks;
 using Hl7.Fhir.Model;
+using Microsoft.Health.Core.Features.Security.Authorization;
+using Microsoft.Health.Fhir.Core.Exceptions;
 using Microsoft.Health.Fhir.Core.Extensions;
 using Microsoft.Health.Fhir.Core.Features.Search;
 using Microsoft.Health.Fhir.Core.Features.Search.Filters;
+using Microsoft.Health.Fhir.Core.Features.Security;
 using Microsoft.Health.Fhir.Core.Features.Security.Authorization;
 using Microsoft.Health.Fhir.Core.Messages.Search;
+using Microsoft.Health.Fhir.Core.Models;
 using Microsoft.Health.Fhir.Tests.Common;
 using Microsoft.Health.Test.Utilities;
 using NSubstitute;
@@ -56,5 +61,101 @@ public async Task GivenASearchResourceRequest_WhenHandled_ThenABundleShouldBeRet
             Assert.NotNull(actualResponse);
             Assert.Equal(expectedBundle, actualResponse.Bundle);
         }
+
+        [Fact]
+        public async Task GivenASearchResourceRequest_WhenUserHasSearchPermission_ThenSearchSucceeds()
+        {
+            var authorizationService = Substitute.For<IAuthorizationService<DataActions>>();
+            var searchResourceHandler = new SearchResourceHandler(
+                _searchService,
+                _bundleFactory,
+                authorizationService,
+                new DataResourceFilter(MissingDataFilterCriteria.Default));
+
+            var request = new SearchResourceRequest("Patient", null);
+            var searchResult = new SearchResult(Enumerable.Empty<SearchResultEntry>(), null, null, new Tuple<string, string>[0]);
+            var expectedBundle = new Bundle().ToResourceElement();
+
+            // Setup authorization to return Search permission
+            authorizationService.CheckAccess(DataActions.Search, CancellationToken.None)
+                .Returns(DataActions.Search);
+
+            _searchService.SearchAsync(request.ResourceType, request.Queries, CancellationToken.None).Returns(searchResult);
+            _bundleFactory.CreateSearchBundle(searchResult).Returns(expectedBundle);
+
+            SearchResourceResponse actualResponse = await searchResourceHandler.Handle(request, CancellationToken.None);
+
+            Assert.NotNull(actualResponse);
+            Assert.Equal(expectedBundle, actualResponse.Bundle);
+        }
+
+        [Fact]
+        public async Task GivenASearchResourceRequest_WhenUserHasOnlyReadPermission_ThenUnauthorizedExceptionThrown()
+        {
+            var authorizationService = Substitute.For<IAuthorizationService<DataActions>>();
+            var searchResourceHandler = new SearchResourceHandler(
+                _searchService,
+                _bundleFactory,
+                authorizationService,
+                new DataResourceFilter(MissingDataFilterCriteria.Default));
+
+            var request = new SearchResourceRequest("Patient", null);
+
+            // Setup authorization to return only Read permission (no Search permission)
+            // This simulates SMART v2 scope like "patient/Patient.r" which only allows direct access
+            authorizationService.CheckAccess(DataActions.Search, CancellationToken.None)
+                .Returns(DataActions.None);
+
+            await Assert.ThrowsAsync<UnauthorizedFhirActionException>(() =>
+                searchResourceHandler.Handle(request, CancellationToken.None));
+        }
+
+        [Fact]
+        public async Task GivenASearchResourceRequest_WhenUserHasReadAndSearchPermissions_ThenSearchSucceeds()
+        {
+            var authorizationService = Substitute.For<IAuthorizationService<DataActions>>();
+            var searchResourceHandler = new SearchResourceHandler(
+                _searchService,
+                _bundleFactory,
+                authorizationService,
+                new DataResourceFilter(MissingDataFilterCriteria.Default));
+
+            var request = new SearchResourceRequest("Patient", null);
+            var searchResult = new SearchResult(Enumerable.Empty<SearchResultEntry>(), null, null, new Tuple<string, string>[0]);
+            var expectedBundle = new Bundle().ToResourceElement();
+
+            // Setup authorization to return Search permission (which is what we check for)
+            // This simulates SMART v1 ".read" or v2 ".rs" scopes
+            authorizationService.CheckAccess(DataActions.Search, CancellationToken.None)
+                .Returns(DataActions.Search);
+
+            _searchService.SearchAsync(request.ResourceType, request.Queries, CancellationToken.None).Returns(searchResult);
+            _bundleFactory.CreateSearchBundle(searchResult).Returns(expectedBundle);
+
+            SearchResourceResponse actualResponse = await searchResourceHandler.Handle(request, CancellationToken.None);
+
+            Assert.NotNull(actualResponse);
+            Assert.Equal(expectedBundle, actualResponse.Bundle);
+        }
+
+        [Fact]
+        public async Task GivenASearchResourceRequest_WhenUserHasNoPermissions_ThenUnauthorizedExceptionThrown()
+        {
+            var authorizationService = Substitute.For<IAuthorizationService<DataActions>>();
+            var searchResourceHandler = new SearchResourceHandler(
+                _searchService,
+                _bundleFactory,
+                authorizationService,
+                new DataResourceFilter(MissingDataFilterCriteria.Default));
+
+            var request = new SearchResourceRequest("Patient", null);
+
+            // Setup authorization to return no permissions
+            authorizationService.CheckAccess(DataActions.Search, CancellationToken.None)
+                .Returns(DataActions.None);
+
+            await Assert.ThrowsAsync<UnauthorizedFhirActionException>(() =>
+                searchResourceHandler.Handle(request, CancellationToken.None));
+        }
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,9 @@ public async Task GivenASmartConfigurationHandler_WhenSecurityConfigurationEnabl`
`64`	`64`	`"permission-patient",`
`65`	`65`	`"permission-user",`
`66`	`66`	`});`
	`67`	`+`
	`68`	`+ // Verify SMART v2 scopes are included`
	`69`	`+ Assert.NotNull(response.ScopesSupported);`
`67`	`70`	`}`
`68`	`71`
`69`	`72`	`[Fact]`