Authentication and authorization is done according to the SMART-On-FHIR Authorization Guide. This uses the OpenID Connect + OAuth2 Authorization Code Grant flow.
According to the SMART-On-FHIR Publishing OAuth2 URLs, a security extension is included in the CapabilityStatement resource to specify the URLs for the endpoints on the authorization server that should be used.
"security": {
"extension": [
{
"url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
"extension": [
{
"url": "token",
"valueUri": "https://greathospital.com:8110/identity/connect/token"
},
{
"url": "authorize",
"valueUri": "https://greathospital.com:8110/identity/connect/authorize"
}
]
}
],
"service": [
{
"coding": [
{
"system": "http://hl7.org/fhir/restful-security-service",
"code": "SMART-on-FHIR",
"display": "SMART-on-FHIR"
}
],
"text": "OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
}
]
},The general flow consists of the user being authenticated with the authorization server. Once the user is authenticated, an authorization code is returned. The authorization code is then sent to the authorization server and exchanged for an access token. The access token is encoded with all of the access that the user is authorized for. This access is denoted using scopes. The access token is included as the bearer token with all API requests.
The access token is included as the bearer token in the API request by placing it in an HTTP Authorization header with the following format (without the brackets).
HTTP Authorization Header:Bearer [access token]The access scopes follow the SMART-On-FHIR Scopes and Launch Context guidelines.
Scope Syntax:clinical-scope ::= ( 'patient' | 'user' ) '/' ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' )user/*.*
user/Patient.read
user/Observation.*