16.18.1SMART User Profile Information

 

The SMART on FHIR specification recommends that SMART applications request the scopes openid fhirUser in addition to scopes describing the specific FHIR data access requirements for the application.

When the openid and fhirUser scopes are approved, the authorization response to the Application will include a special token called an ID Token. This is provided in addition to the Access Token as a part of the same response object.

The ID Token is a Signed JWT that can be decoded to reveal a payload similar to the following example:

{
   "jti":"155bf20e-5caf-415f-8078-5c896350c828",
   "iat":1615563526,
   "exp":1615563586,
   "aud":"my-client-id",
   "sub":"user123",
   "iss":"http:\/\/example.com\/issuer",
   "given_name":"GIVEN_NAME",
   "family_name":"FAMILY_NAME",
   "profile":"http:\/\/example.com\/issuer\/fhir\/RelatedPerson\/123",
   "nonce":"idihrgy",
   "auth_time":1615563526,
   "at_hash":"GMPkjip0n0mGmMaOs8HA3w"
}

By default, the profile link will contain an automatically generated reference to a RelatedPerson resource containing the known demographics of the logged in user.

If you are setting up an infrastructure using the SMART Outbound Security module as your Authorization Server, where a FHIR repository is accessible to the Application being authorized, and that repository contains a real resource corresponding to the user (for example, a Patient or Practitioner resource) you can insert an appropriate profile reference in your onTokenGenerating callback script. The following example shows such a URL being set:

function onTokenGenerating(theUserSession, theAuthorizationRequestDetails, theClientDetails) {

    // ..other functions not shown..
    
   theUserSession.setFhirUserUrl('https://fhir.example.com/Patient/123');

}