FHIR Chat · Shared Auth Server - Cross Org Exchange

Stream: implementers

Topic: Shared Auth Server - Cross Org Exchange

Sheridan Cook (Mar 18 2020 at 21:56):

Is anyone using Oauth/SMART in a scenario where multiple clients and resource servers want to share the same centralized authorization server (pre-reg'd with client and user information) to request access tokens…but they want those access tokens to be specific to user permissions instead of tied to broadly-based client permissions?

I'm thinking through a scenario where we don't want to make the client connect to 10 auth servers for 10 different resource servers. And we don't want to make the resource servers connect to a bunch of different auth servers to perform token validation. And in this scenario, we don't want access scope to be client-oriented like the EHR-to-EHR argonaut profile accommodates.

I've read through the Oauth2 Authorization Grant Types and don't feel like this scenario sits squarely in either authentication code grant type or client credential grant type.

Has anyone implemented something similar to the scenario described above?

Lloyd McKenzie (Mar 18 2020 at 21:57):

@Josh Mandel

Joel Schneider (Apr 04 2020 at 06:21):

If the user's access token is a JSON Web Token (JWT), it's possible to include custom claims in the JWT payload. The custom claims can express granular user permission details.

Not really my area of expertise, but we've implemented something like this.

Jens Villadsen (Apr 04 2020 at 21:45):

We are doing this - and embedding custom claims in the JWT. In our setup you also need to request specifics in the JWT. The JWT ends up containing rights ( eg. Patient.read) and context (eg. EpisodeOfCare/123) which are then accepted across the servers hosting different types of resources