Auth - Basic question

eff · January 12, 2020, 10:07am

Hello all, my first post here so please excuse any mistake. I also should say I am a beginner in the topic so this is a quite fundamental question, but your help is highly appreciated as your input is the only form of expert input I have available.

Question:
I am using SMART + Azure FHIR API, but I am struggling to understand how an authenticated account (say a hotmail user) can be paired to a specific patient and therefore access the resources.

For example, user999@email.com should only be able to access Patient/1234. Does it mean that:

The patient ID needs to equal the e-mail address?
A server admin needs to enable the resource manually for each user somehow?
The patient itself needs to know his/her own resource ID?

Again, your help is much appreciated and necessary! Thanks in advance.

grahamegrieve · January 12, 2020, 11:00am

First of all, a user account may have access to more than one patient record (e.g. family members). It may not have access to the same persons record.

The matching from user account to patient(s) is out-of-band of the authorization. It has be done somehow by some service somewhere that manages the process. Typically, in USA, a hospital will give users a username and password.

eff · January 12, 2020, 12:28pm

Reading more about the launch context of SMART, I realised that there are 2 ways to get the patient context:

Send it as part of the authorize() headers (e.g. launch=[base64 patient:id pair])
Get it from the server in the access_token response (e.g. patient: “123”)

The first method is clear to me but seems unsafe, since all the app needs to know is the patient id in order to set it as the context.

The second method I don’t fully understand still. How can I set my server (Azure in my case) to send back a patient id depending on the authenticated AD account? An example or resource would be much welcome.

grahamegrieve · January 12, 2020, 12:59pm

in some circumstances the patient context is known by the app, though the server still needs to check it. I don’t know the Azure server so I can’t help you with that question

JohnMoehrke · January 13, 2020, 1:32pm

The patient.id that is in the context is information for the app to use. All FHIR requests that app make will be checked with Oauth security. So the context.id is not part of the security layer, it is the UI “context”. So, in both cases OAuth manages security, what actually there is authorization for.

eff · January 13, 2020, 9:06pm

I believe I have a slightly better grasp on the topic now after struggling with it for a couple days. What SMART is doing seems to be:

Sending a fhirUser scope in the OAuth call
Getting back an id_token (JWT) in the token_response together with the access_token itself
Using the id_token’s profile or fhirUser entry to define the patient’s context.

Now when I decode the id_token I am getting from Azure I don’t see either of these entries, perhaps it needs to be manually set somehow?