FHIR Chat · SMART App Launch with Client Credentials Flow · smart

Stream: smart

Topic: SMART App Launch with Client Credentials Flow

view this post on Zulip Bernard Stibbe (Sep 27 2021 at 14:01):

Are there any examples by launching an app by using the "Client Credential Flow" from OAuth2? Here the SMART authorization is more simple and direct, because there are no users involved.

view this post on Zulip Josh Mandel (Sep 27 2021 at 14:50):

We don't call this an app launch -- but you could build a SMART Backend Services integration that happens to include a user facing application. The distinction is the trust model: if there is nothing to tell the EHR what user is running the app, then the trust is better the EHR and the service itself.

view this post on Zulip Bernard Stibbe (Sep 27 2021 at 15:33):

Hello @Josh Mandel

I don't understand the trust is better the EHR and the service itself?
We start from a (EHR) portal a module (service). The portal and module are registered and authenticated.
But we need to have a launch context for the module. How do we do that?

view this post on Zulip Josh Mandel (Sep 27 2021 at 15:52):

I'm not saying anything about "better" -- but if you want to provide Launch Context for an app, using our existing standards, you'll need to use the App Launch profile.

view this post on Zulip Josh Mandel (Sep 27 2021 at 15:53):

This needn't entail any additional user facing steps; the flow can be automatic from the user's perspective

view this post on Zulip Bernard Stibbe (Sep 27 2021 at 16:05):

The problem with the authorization code flow is for the (confidential) apps.
An Authorization header HTTP Basic authentication is (now) required, where username is the app’s client_id and the password is the app’s client_secret. However we are using signed tokens to authenticate (confidential) apps.

view this post on Zulip Josh Mandel (Sep 27 2021 at 16:26):

In the upcoming SMARTv2 release, SMART App Launch clients can authenticate to the token endpoint using a JWS (just as with backend services) rather than a symmetric secret. This is still an authorization code flow though (I e., the grant is an authorization code).

view this post on Zulip Josh Mandel (Sep 27 2021 at 16:27):

https://build.fhir.org/ig/HL7/smart-app-launch (see the authentication items in the menu)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -