We believe very strongly in the SMART on FHIR model for OAuth2/OpenID Connect based authorization of health apps against a health data infostructure/infrastructure. Smile CDR includes the ability to act as a SMART on FHIR compatible OAuth2/OpenID Connect server, and has OAuth2 scope-granting screens that have been customized to display accessible definitions of the scopes being authorized. For example, the SMART patient/*.read scope can be displayed as “Access any data for patient”, reflecting a definition that users will understand.
Smile CDR includes a complete access-control mechanism that is built around these scopes. It is able to recognize that a user has a specific set of SMART on FHIR scopes for which they have been authorized, and can block FHIR requests and responses exceeding the limits of those scopes.
Smile CDR also includes support for consuming SMART on FHIR tokens that have been supplied by an external provider. Because the OAuth2 specifications do not specify a standard mechanism for token verification, it is not possible to certify that the product can interoperate out-of-the-box with an arbitrary provider; however, Smile CDR is designed to be capable of integration with any conformant OAuth2 provider.Back to FAQ