FHIR Chat · include fhir server address in id token claims? · smart

Stream: smart

Topic: include fhir server address in id token claims?

view this post on Zulip Sean McIlvenna (May 27 2020 at 21:17):

Is it possible to return the FHIR server base url as a claim in the id_token?

view this post on Zulip Josh Mandel (May 27 2020 at 22:33):

That behavior is something you currently get if a server uses an absolute URI for a fire user, but I think you're asking for a reliable way for a client to get this :-)

view this post on Zulip Jenni Syed (May 27 2020 at 22:43):

usually the FHIR server would be known before the id_token since apps start at the FHIR server to discover the auth endpoint. Are you wanting it in the id_token for "storage" or for that id_token to be passed around with context?

view this post on Zulip Jenni Syed (May 27 2020 at 22:43):

technically the id_token isn't tied to a specific FHIR server endpoint... it's tied to a specific auth endpoint (or issuer in the openId world...)

view this post on Zulip Sean McIlvenna (May 28 2020 at 01:12):

@Jenni Syed trying to pass it around with context

view this post on Zulip Sean McIlvenna (May 28 2020 at 01:13):

the approach I took was to store the fhir server "iss" passed from the initial launch as part of the state when authenticating, and then pass the fhir server to my application server from the state. was hoping to get it from claims in the id_token... but, thinking about it, your comment about the fhir server not being known to the auth server makes sense. the fhir server is aware of the auth server, but not the other way around??

view this post on Zulip Josh Mandel (May 28 2020 at 01:42):

Each needs to be aware of the other. The authorization server needs to be aware of the FHIR server to be able to validate the AUD parameter passed into the authorize endpoint...

view this post on Zulip Jenni Syed (May 28 2020 at 15:21):

@Josh Mandel agreed, but technically the id token is a representation of the user authenticated and not the app/where that was authenticated to. In our system, we have multiple FHIR servers that the id token could be valid for, though we choose one for the profile URL itself. EG: different FHIR version implementations

view this post on Zulip Jenni Syed (May 28 2020 at 15:22):

We have apps today that run against both DSTU 2 and our R4 fhir instances

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -