Stream: implementers
Topic: Multi-domain IUA with FHIR
Bill Wallace (Feb 05 2019 at 13:40):
I’ve been looking into using OpenID with FHIR, and in particular with multiple potential source authentication services (eg for the connectathon MHD where there are several IUA providers). Given that the token may, in general, be an opaque token, how does one tell which provider to test it against to validate the bearer token and retrieve the user information? That is, a header of:
Authorization: Bearer SlAV32hkKG
If one only allows 1 authorization provider, it is trivial to authorize that, but with more than one it isn’t clear which system to pass that too. Essentially I’m wondering how extract what user domain this bearer token is for. Here, the user is logging into some external page, and then using the bearer tokens against a remote service, not using the authorization login page services directly.
Michael Donnelly (Feb 05 2019 at 17:21):
You could use a JWT as your bearer token.
Last updated: Apr 12 2022 at 19:14 UTC
