Publishing OAuth2 URLs

If a server requires SMART on FHIR authorization for access, its conformance statement must support automated dicovery of OAuth2 endpoints by including a “complex” extension (that is, an extension with multiple components inside) on the Conformance.rest.security element. Any time a client sees this extension, it must be prepared to authorize using SMART’s OAuth2-basead protocol.

[The top-level extension uses the URL http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris, with the following internal components:

Component Required? Description
authorize required valueUri indicating the OAuth2 "authorize" endpoint for this FHIR server.
token required valueUri indicating the OAuth2 "token" endpoint for this FHIR server.
register optional valueUri indicating the OAuth2 dynamic registration endpoint for this FHIR server, if supported.
manage optional valueUri indicating the user-facing authorization management workflow entry point for this FHIR server. Overview in this presentation.

Example conformance statement (as JSON)

{
  "resourceType": "Conformance", 
...
  "rest": [{
   ...
      "security": {
        "service": [
          {
            "coding": [
              {
                "system": "http://hl7.org/fhir/restful-security-service",
                "code": "SMART-on-FHIR"
              }
            ],
            "text": "OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
          }
        ],
        "extension": [{
          "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
          "extension": [{
            "url": "token",
            "valueUri": "https://my-server.org/token"
          },{
            "url": "authorize",
            "valueUri": "https://my-server.org/authorize"
          },{
            "url": "manage",
            "valueUri": "https://my-server.org/authorizations/manage"
          }]
        }],
      ...
We're hiring a senior developer to work full time on the open source SMART on FHIR project. Learn More!
The SMART on FHIR API is evolving in parallel with the FHIR ballot releases. If you spot problems, please file an issue. Or better yet, you can edit this page.