search

aehrc / smart-forms

React-based form renderer implementing Structured Data Capture (SDC) FHIR specification
https://smartforms.csiro.au
Apache License 2.0
37 stars 16 forks source link

SMART launcher auth token endpoint URL #350

Closed dattachandan closed 1 year ago

dattachandan commented 1 year ago

While launching the smartform.io from the smarthealthit launcher using provider and patient context, where does the app get the /token from? Why is the app following a Auth code flow (authorisation_code) as well?

image

image

image

Also confirming if this is the implemented flow for establishing the provider and patient context? is the /auth token call for this highlighted step?

image

fongsean commented 1 year ago

Going though the entire launch auth flow step-by-step:

  1. Launch This is the action of clicking on the "Launch" button in the SMART Launcher. It launches the app.

  2. Get auth server The app initially doesn't know the location of the auth server, so it has to request the auth server's endpoint from the CMS server. In this case it is a GET request: https://launch.smarthealthit.org/v/r4/fhir/.well-known/smart-configuration
    In the response, auth server endpoint is defined as https://launch.smarthealthit.org/v/r4/auth. The app now knows where to go to be authenticated.

  3. Request authorisation Now, since the app knows where to be authenticated, it asks the browser to navigate to the auth server's authorize endpoint to get an authorization code. In this case: https://launch.smarthealthit.org/v/r4/auth/authorize
    This navigation request consists of all the launch params defined in the first step i.e. client id, scopes, redirect uri, etc. If the auth server accepts this request, it generates an authorization code.

  4. Redirect to app If an authorization code is generated, the user is redirected back to the app with the authorization code. Otherwise, you get blocked from proceeding further. A page showing "unauthorised" might be shown along with the reasons why you aren't authorised (possibly due to mismatched scopes or a client id).

  5. Token exchange Now that the app has an authorization code, it performs a POST request to the auth server's token endpoint to trade its authorization code for an access token. In this case: https://launch.smarthealthit.org/v/r4/auth/token
    This access token can now be used when making requests to the CMS's FHIR API.

Here's where the steps fit In your screenshot: image

Hope that helps.

fongsean commented 1 year ago

Hey @dattachandan, are you happy for me to close this issue given it has been stale for a bit?