Stream: smart
Topic: Server authentication testing
Ward Weistra (Jul 06 2021 at 10:55):
Hi all, for adding authentication to Firely Terminal's FHIR client I'm trying to get an overview of the FHIR server authentication landscape.
In our upcoming test release, we've added Basic Auth (user provides password/username directly) and the ability to provide your own headers, which can of course include a Bearer token that you have sourced from any flow, including from a SMART on FHIR Oauth2 flow.
I've heard requests for basic auth, know the three-legged Oauth2 SMART on FHIR flow (including app registration and user login in browser) is used. Any other common flows I'm missing, and would you have an estimate how widely used they are? Any test servers with authentication would be most welcome too. Thanks!
Josh Mandel (Jul 06 2021 at 13:52):
SMART Backend Services uses asymmetric secrets (public/private key pairs) to authenticate a client (this is currently documented at https://hl7.org/fhir/uv/bulkdata/authorization/index.html (and will migrate into the SMART App Launch spec in the next publication).
Gino Canessa (Jul 07 2021 at 18:10):
For test servers:
- https://launch.smarthealthit.org/ is a good place to start and has several flows
- https://smart.argo.run/ is a fork of smarthealthit.org that includes functionality for the next release of the SMART App Launch IG (e.g., pkce, granular scopes, etc). Items here are in the process of being added back to the main server.
Otherwise, https://confluence.hl7.org/display/FHIR/Public+Test+Servers has annotations on most entries describing supported auth.
Ward Weistra (Jul 27 2021 at 15:14):
@Josh Mandel @Gino Canessa Thanks both! I'm going to check those.
From all the servers that listed authentication in the public (or connectathon) test servers I couldn't login to any with the provided credentials :smile:
I did succesfully test with @Michele Mottini's Care Evolution test server https://fhir.careevolution.com using the auth token header.
Last updated: Apr 12 2022 at 19:14 UTC
