Understand how SAFHIR performs user authentication and authorization using the SMART-on-FHIR App Launch Framework.

When a member is being authenticated, and an identity token is generated for the user, how is that handled by SAFHIR?

For an application to “launch” on SAFHIR we follow the SMART-on-FHIR “Standalone Launch” – this is a profile of an OAuth 2.0 “Authorization Code” flow. The client app launches through it’s Authorization server and reaches an Identity Provider. When user of the launching application submits correct login credentials (known only to the IDP and its users), the launching app is returned an authorization code. That authorization code is then submitted by the client app to the Authorization server’s Token Endpoint (which submits it again to the IDP) for an Access Token Response. An Identity Token can be retrieved when submitting the “openid” scope to the SAFHIR launch, this is provided in the Access Token Response. A Refresh Token can be retrieved when submitting the “offline_access” scope to the SAFHIR launch, this will also be provided in the Access Token Response.

Note this flow requires the storage of a client secret paired with the client (application) ID, which as dictated by the SMART Standalone Launch documentation shall be passed in a Basic Base64-encoded header.