This section walks you through the setup needed when Smile CDR is playing the role of the Requesting payer (Target), meaning it's the one reaching out to other payers to get member data. Getting this setup right means Smile can securely connect to other payers, find the right member records, and bring that data into your system.

62.2.2OIDC Configuration

62.2.2.1Add OIDC Server Definition

Following the Smile CDR documentation for setting up OIDC server definitions, create a server definition for each Source Payer you'll be connecting to.

62.2.2.1.1Navigation Path

In the Web Admin Console, navigate to Users & Authorization → OpenID Connect Servers
Select the desired system_to_system_data_exchange Target module for P2P
Add Server

62.2.2.1.2Server Definition Configuration

Configure the server definition with the following key fields:

Field	Description	Example/Value
Server Name	Identifier for the server	`p2p-server`
Issuer	Exact Issuer URL of Source Payer's OIDC	`https://source-payer.com/`
Authorization Endpoint	OAuth2 authorization endpoint	`https://source-payer.com/oauth/authorize`
Token Endpoint	OAuth2 token endpoint	`https://source-payer.com/oauth/token`
UserInfo Endpoint	OIDC userinfo endpoint	`https://source-payer.com/oauth/userinfo`
JWKS Endpoint	JSON Web Key Set endpoint	`https://source-payer.com/oauth/jwks`
Client Authentication Mode	How Smile authenticates to the server	`CLIENT_SECRET_BASIC` or `PRIVATE_KEY_JWT`
Request Scopes	Scopes to request	`openid cdr_all_user_authorities`
FHIR Base URL	Source Payer's FHIR endpoint	`https://source-payer.com/fhir`
Response Type	Expected response format	`code id_token token`

62.2.2.1.3Example

{
  "nodeId": "Master",
  "moduleId": "smart_inbound",
  "name": "Target Payer P2P OIDC Server",
  "issuer": "https://target-payer.example.org",
  "authorizationEndpoint": "https://target-payer.example.org/oauth/authorize",
  "tokenEndpoint": "https://target-payer.example.org/oauth/token",
  "userInfoEndpoint": "https://target-payer.example.org/oauth/userinfo",
  "jwksEndpoint": "https://target-payer.example.org/oauth/jwks",
  "introspectionEndpoint": "https://target-payer.example.org/oauth/introspect",
  "revocationEndpoint": "https://target-payer.example.org/oauth/revoke",
  "registrationEndpoint": "https://target-payer.example.org/oauth/register",
  "clientAuthenticationMode": "CLIENT_SECRET_BASIC",
  "serverAuthenticationMode": "PRIVATE_KEY_JWT",
  "signingCertificateFile": "classpath:p2p-signing-cert.pem",
  "signingKeyFile": "classpath:p2p-signing-key.pem",
  "authorizationScript": "classpath:p2p-server-auth.js",
  "supportedGrantTypes": [
    "client_credentials",
    "authorization_code",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "supportedScopes": [
    "openid cdr_all_user_authorities",
    "openid",
    "profile",
    "user/Patient.read",
    "user/Coverage.read",
    "user/ExplanationOfBenefit.read",
    "launch/patient",
    "patient/*.read"
  ]
}

62.2.2.1.4Authentication Script

Create an authorization script as per Smile CDR's federated OAuth2/OIDC documentation:

/**
 * P2P Target Payer Authorization Script
 * Handles authorization for outbound P2P requests
 */
function onAuthenticateSuccess(theOutcome) {
    // Extract user information from the token
    // Set the user ID from the token
}

62.2.3Executing P2P Exchanges

For more details on executing P2P exchanges, see P2P Execute Exchange.

62.2.3.1Prerequisites for $invoke-export

Before invoking P2P operations, ensure:

The source payer server has been registered.
The member has opted-in and Consent has been captured.
The member has a local Patient resource with a member identifier (to support data integration).

62.1 Responding Payer OIDC Client Setup