learning SMART

What is SMART?

• Substitutable Medical Applications and Reusable Technologies
• It is a set of open specifications to integrate apps with Health IT systems
  • OAuth2 - authentication
  • OpenID - authorization

OAuth2

Roles

1. Resource owner
2. Client
3. Resource server
4. Authorization server

OAuth2

Application registration

1. Name
2. Website
3. Redirect URL(s)
4. Scope

https://apporchard.epic.com/

OAuth2

Authorization grant types

• Authorization code
• Implicit
• Resource owner password credentials
• Client credentials

OpenID

• Build on top of OAuth2
• Allows applications to verify the identity of an end user
• Supports two authentication flows:
  • Implicit
  • Authorization code

Authorization code flow

• Optimized for server-side applications
• Redirect-based flow (interaction with user's browser

SMART on FHIR flow

Launch

Conformance

• http://docs.smarthealthit.org/authorization/conformance-statement/
• http://hl7.org/fhir/DSTU2/conformance-rules.html

Authorize

• http://docs.smarthealthit.org/authorization/
  • Section 1. App asks for authorization

Redirect

https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections

Access Token

• The app trades the code for an access token
• POST - content-type 'application/x-www-form-urlencoded'
  • grant_type
  • code
  • redirect_url
  • client_id

• http://docs.smarthealthit.org/authorization/
  • Section 3. App exchanges authorization code for access token

Authorization header