FHIR Chat · SMART on FHIR: How does the authorization gets the context · implementers

Stream: implementers

Topic: SMART on FHIR: How does the authorization gets the context

view this post on Zulip Sanjaai (Apr 07 2022 at 17:28):

Within a SOF EHR launch, if the application specifies the launch scope and launch parameter, my understanding is that the authorization server returns the context information ( patient , encounter etc) in the authorization response.
From the deployment point of view, traditionally authorization servers are independent entities from the business and clinical systems. i.e. only performing the business of authentication and authorization duties.
How does the authorization server obtain the actual EHR context to be returned within authorization response?

Is there an inherent expectation that Authorization Server reaches out to clinical\EHR system to obtain the current context?

view this post on Zulip David Pyke (Apr 07 2022 at 18:04):

These are good questions for #smart

view this post on Zulip Michele Mottini (Apr 07 2022 at 19:12):

Is there an inherent expectation that Authorization Server reaches out to clinical\EHR system to obtain the current context?

Yes. The authorization server must be linked somehow with the clinical side of things

view this post on Zulip Sanjaai (Apr 07 2022 at 19:17):

Michele Mottini said:

Is there an inherent expectation that Authorization Server reaches out to clinical\EHR system to obtain the current context?

Yes. The authorization server must be linked somehow with the clinical side of things

Thanks, In that case overall capability of SOF is always deployment(SOF) specific, instead of just fhir server or Auth server separately. Is there standard approach/ interface to link these two entities at present ?

view this post on Zulip Michele Mottini (Apr 07 2022 at 19:52):

No standards that I know of

view this post on Zulip Sanjaai (Apr 07 2022 at 20:05):

thank you @Michele Mottini

view this post on Zulip Josh Mandel (Apr 07 2022 at 22:13):

The discussion here sounds correct to me. It is the job of the authorization server to gather the context necessary to authorize a launch, including patient context when required. I'm not sure that we could productively standardize the internal details of how this occurs.

view this post on Zulip Sanjaai (Apr 07 2022 at 23:55):

Thank you @Josh Mandel
Understand its a tricky integration to standardize. I was looking for something like an EHR even topic Auth server can subscribe to and EHR service can publish.
This clarifies my question. Thank you both.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -