Hello all. I have a few questions about regarding user authentication/authorization. I have looked on the community site for an answer but didn’t see anything related to my question. I am fairly new to this particular technology stack so I apologize in advance if this seems fuzzy.
My client has a current IAM solution that uses a COTS product for SAML and OAuth/OIDC authentication and high level authorization. The issue is that the product does not support the SMART framework. I’m wondering if there is a way to decouple the authentication and authorization so that the current IAM solution could do the authentication (most of our current Medicaid users are already in this user store for a different app) and then redirect to another authorization service for the authorization?
If the answer is yes, you can decouple, would that mean that any potential 3rd party app would need to know that authentication can’t perform any SMART framework work?
As a follow-on, I would also assume that the 3rd party app would contact the FHIR API for the capability statement which would end up sending the user to my IAM solution for authentication which would then have to send the user somewhere else for authorization and then finally back to the FHIR API.