Standalone Authorization Walkthrough
The app launch URLs mentioned below are sample URLs that have no functionality. Use your own URL for app launch and redirect URLs. For endpoints, refer to FHIR Base URLs.
Step 1: Launch
When you launch this app, a special URI is used which is shown here. The 'Endpoint' value refers to the FHIR endpoint from which data will be retrieved.
Title | Link |
---|---|
App launch URL | [https://mysmartonfhirapplication.mydomain.com/standalone-authorization-tutorial/launch.html] |
End point | [https://fhir-api.fhirprod.aws.greenwayhealth.com/fhir/R4/{tenant-id}] |
Step 2: Endpoint Discovery
In this step, your app obtains the Conformance Statement from the FHIR endpoint. This file contains the authentication servers from which your app obtains the authentication code which it then exchanges for the token.
Method | End Point |
---|---|
Get Discovery Endpoint (Conformance Statement): | [https://fhir-api.fhirprod.aws.greenwayhealth.com/fhir/R4/{tenant-id}/metadata] |
Authorization Endpoint: | [https://auth-api.login.greenwayhealth.com/oauth2/auth-code] |
Token Endpoint: | [https://auth-api.login.greenwayhealth.com/oauth2/as/token.oauth2] |
Step 3: Get Authorization Code
In this first half of the authorization, your app identifies itself to the authorization code endpoint using its client ID and the scopes it desires in order to access clinical data. Your app also provides a state value that identifies the session context that your app establishes with the authorization server. This is a security measure to protect against Cross Site Request Forgery (CSRF).
In response, the authorization server displays a consent screen. Once the user grants consent, the authorization server provides your app with an authorization code.
Method | End Point |
---|---|
Get Authorization Endpoint | [https://auth-api.login.greenwayhealth.com/oauth2/auth-code] |
URL Parameters
URL Parameters | |
---|---|
client_id | MGMzYzliNjYtNzI2Yi00MmI3LThmNzUtYmMyMTkzN2I0ZWQ2 |
response_type | code |
scope | launch/patient openid fhirUser online_access patient/Patient.read patient/Observation.read |
state | kawltDHKN7 |
Returned Authorization Code | QqmMdC19nQ4TdckElFvOSWnp0NVUNTqlWno78iFe |
Step 4: Acquire Access Token
This is the second half of the authorization process. After authenticating the user and getting user consent for the scopes, the authorization server has redirected the user back to your app; passing it an authorization code and the state parameter it received from your app.
<https://mysmartonfhirapplication.mydomain.com/standalone-authorization-tutorial/launch.html>/standalone-authorization-tutorial/callback.html?code=. . .&state=. . .
First, your app should verify that the state value received matches what you sent in the previous step to protect against CSRF attacks.
If it matches, your app posts the code obtained in Step 3 along with the parameters below, and in exchange, your app receives a token that it uses to authenticate itself to receive FHIR data, as well as a number of claims that enable your app to function, such as patient.
POST Token Endpoint
POST Request
POST https://token-endpoint
...
POST Parameters | |
---|---|
authorization_code | QqmMdC19nQ4TdckElFvOSWnp0NVUNTqlWno78iFe |
grant_type | authorization_code |
redirectUri | [https://mysmartonfhirapplication.mydomain.com/standalone-authorization-tutorial/launch.html/callback.html] |
client_id | MGMzYzliNjYtNzI2Yi00MmI3LThmNzUtYmMyMTkzN2I0ZWQ2 |
POST Response
{
}
Response Parameters | |
---|---|
access_token | Show |
token_type | Bearer |
expires_in | 7199 |
scope | patient/Observation.read |
patient | 1 |
Step 5: Retrieve Data
Your app uses the token and the patient claim received in the previous step to call the FHIR server to retrieve data.
GetFHIR API: | |
---|---|
Auth Header | Bearer {token} |
Authorization | Show |
Updated 2 months ago