FHIR Chat · app link authentication · cds hooks

Stream: cds hooks

Topic: app link authentication

view this post on Zulip Stefan Dimitrov (May 17 2017 at 23:13):

With CDS-Hooks how is the CDS Service expected to authenticate the EHR user who clicks on an App Link? Is it OK for the CDS Service to issue a JWT token when the CDS Hook is invoked and append it as a parameter to the absolute URL of the App Link, or is there a better approach? Or may be absolute URLs are not the best choice when we need to identify the EHR user and a Smart App should be used instead? If that's the case, are there any open-source Smart App implementations which demonstrate the OAuth2 & OpenID parts of the SMART spec?

view this post on Zulip Kevin Shekleton (May 18 2017 at 05:55):

Here is our proposed security model. (Note: this has yet to see implementer feedback)

view this post on Zulip Stefan Dimitrov (May 18 2017 at 15:19):

@Kevin Shekleton thank you for your reply. I have seen the proposed security model but it does not address my question, it addresses 3 points: 1) The EHR trusting the CDS Services to invoke; 2) The CDS Service trusting communication with EHRs invoking them; 3) The CDS Service being able to access the FHIR server of the EHR. But it does not cover the app launched through a CDS hook trusting the EHR user who clicked on the link.

view this post on Zulip Kevin Shekleton (May 18 2017 at 16:55):

Sorry @Stefan Dimitrov, I misread your question. For app links, if you are you looking for a security model around your app links, you should return a SMART app link in your card. The EHR will then go through the standard SMART app launch workflow to the authorize and launch the app.

view this post on Zulip Kevin Shekleton (May 18 2017 at 16:56):

You are correct in that if you want user identity, patient context, access to the FHIR server, etc, then returning a SMART app link is the way to go rather than an absolute URL link

view this post on Zulip Kevin Shekleton (May 18 2017 at 17:00):

As far as open source SMART on FHIR reference implementations, there was a recent thread on the SMART mailing list that covered this that you would be interested in. You can read it here. Additionally, you can check on the #smart stream here.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -