token enforcement

[salpcnsi]

Thanks @dancinnamon-okta for providing this ref implementation.

Few comments:

• There is no lambda authorizer implemented here so as to protect actual calls to fhir server. You went thru 13 steps to get the access token, now you should use it to access the data
• Documentation says "There should already be 1 access policy that you created during the prerequisites." but does not give a sample.

But this is an excellent reference for someone to understand how SMART on FHIR auth is supposed to work.

[dancinnamon-okta]

Ahh - you noticed I'm not validating the access token when calling the actual FHIR API :). The goal of this reference implementation is really just to show the actual SMART dance and all the steps that are required. The only reason I even have a FHIR API at all is really just for demonstration purposes. The expectation is of course organizations will actually provide a real FHIR implementation, which would of course introspect the tokens and apply both coarse and fine grained authorization.

That being said it'd be quite simple to add a jwt validator in my serverless.yml file- so i'm game for adding it!

Also in terms of the access policy- i do have a refrence to that here: https://github.com/dancinnamon-okta/okta-smartfhir-docs/blob/main/SETUP.md#access-policies Perhaps it's not descriptive enough?

[rsmayda]

I think the confusion here is that in the section it reads: Note: There should already be 1 access policy that you created during the prerequisites.

Which is odd since there were no pre-requisite steps touching access policies

[dancinnamon-okta]

Thank you for your comments on this! I have updated the setup guide to add the steps for the access policy setup. I'll create a new issue over on the okta-smartfhir-demo repository with the lambda authorizer.