smart-on-fhir / client-py

Python SMART on FHIR client
http://docs.smarthealthit.org
Other
591 stars 211 forks source link

Detect oauth2 even if there's no authorize_uri #135

Closed mikix closed 3 months ago

mikix commented 1 year ago

As long as we have a JWT and there's a token_uri, we can talk oauth2.

I ran into this while testing the bulk export flow against https://bulk-data.smarthealthit.org which does not expose an authorize_uri, but does expose token_uri and can talk oauth2 with JWTs just fine.

I am not confident that this is the best solution, but it is a solution. Should the code be even dumber and just use oauth2 if the http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris security extension is present at all? Given that there is no other auth system to fall back to, it seems reasonable to err on the side of oauth2. Happy to tweak this as folks like, or leave it as is.