Working with Alternate Authentication Sequences (SMART on FHIR)

Good Morning.

There is an OAuth 2 system called SMART on FHIR which is used for electronic health record (EHR) systems. OIDC is part of that, so I’ve setup this particular provider as an IdP so I can login to my system using credentials from the SMART on FHIR provider.

Now I need to do the next step, which is the SMART bit.

The idea with SMART is that you start from a session on the EHR (because all your billing, patient info and so on is there) and my system would provide a specific service, say analysis of ultrasound studies. So the doctor is looking at the records for some patient, and wants to look in greater detail at the ultrasounds my app provides. When he launches my app he needs to be logged into my system and looking at the correct study.

The flow looks like this (compiled from HL7.FHIR.UV.SMART-APP-LAUNCH\Overview - FHIR v4.0.1 and HL7.FHIR.UV.SMART-APP-LAUNCH\Overview - FHIR v4.0.1 since I only get one image)

And if you look farther down that page you’ll see token refresh and all that.

i’m not an expert but some of that looks like how you communicate with an IdP. I would prefer to have KeyCloak manage the sessions with the EHR and simply pass the tokens i need to communicate with the EHR and the patient ID that comes with the access token response.

Any advice on how to do this would be greatly appreciated.

1 Like

Hi @adamvandenhovenfm

We are facing the same scenario. Did you get the solution for this?


No we haven’t. I did see this project but I haven’t had time to try it out to see if I can use it to do what I want. It seems to have more parts than I need (being a whole platform for building apps). I’ve told my powers-that-be that we should spend time investigating this before spending too much time trying to get SMART into Keycloak

Has anything been figured out on building this SMART on FHIR capabilities on top of an OAuth server? We are trying to determine a solution to similar problem.

Appreciate your thoughts/suggestions.

There is some limitation in the Keyclaok(KC) to forward the query params to only of length 200 characters, but we received the launch token from SMART app of the length of about 1000 (approx.) characters.
So you may have to store the token to your endpoint and forward the request to KC for authentication and in the IdP configure the Auth URL give your app URL and receive the query params and then forward them to the EPIC auth URL with the received query params.
The rest flow is as normal.

Which KC extension are you referring in here for the solution? Is it igia or something custom built?

I’m not using any KC extensions just using external server endpoints for auth endpoints.
But you may better write an extension.

Thank you for clarifying! I would take a look at extensions

1 Like

I created a GitHub repo for the extensions that my team has developed for supporting SMART App Launch from Keycloak: GitHub - Alvearie/keycloak-extensions-for-fhir: Keycloak extensions for FHIR