CH EPR mHealth (R4)
3.0.0-ballot - ballot
CH EPR mHealth (R4)
3.0.0-ballot - ballot
This page is part of the CH EPR mHealth (R4) (v3.0.0-ballot: Draft Ballot 1) based on FHIR R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions 
At launch time the app may connect to the Authorization Server to retrieve the configuration data. The Authorization Server responds with the configuration data and the Authorization Server endpoint the app shall direct the User Agent to.
Actor: Authorization Client or Resource Server
Role: Sends a request to the Authorization Server to retrieve configuration data and the server endpoint to redirect the User Agent to.
Actor: Authorization Server
Role: Responds with the FHIR Server configuration data.
IHE ITI Technical Framework Supplement Internet User Authorization (IUA) Revision 2.1
SMART Application Launch Framework Implementation Guide Release 1.0.0
A mHealth App or a Resource server wants to retrieve the Authorization Server configuration data. A mHealth App is launched in a SMART on FHIR launch sequence.
The Authorization Client or Resource Server performs a HTTP GET request to the Authorization Server. The request SHALL neither use parameter nor body data.
The Authorization Server SHALL response with a HTTP response conveying a JSON formatted object as HTTP body element. The JSON object SHALL convey the following attributes:
| Attribute | Optionality | Reference | Description |
|---|---|---|---|
| authorization_endpoint | R | SMART on FHIR / IUA | URL to the IUA Authorization Server endpoint. |
| token_endpoint | R | SMART on FHIR / IUA | Authorization Server’s Authorization token end-point location. |
| token_endpoint_auth_methods | O | SMART on FHIR | Client authentication methods supported by the token endpoint. The options are “client_secret_post” and “client_secret_basic”. #19 |
| registration_endpoint | O | SMART on FHIR | URL to the OAuth2 dynamic registration endpoint for this FHIR server. |
| scopes_supported | O | SMART on FHIR / IUA | Recommended: Supported scopes. |
| response_types_supported | O | SMART on FHIR / IUA | Recommended: Supported OAuth2.1 response_type values. |
| grant_types_supported | R | IUA | SHALL be “authorization_code”. |
| management_endpoint | O | SMART on FHIR | URL an end-user can view which applications currently have access to data and can make adjustments to these access rights. |
| revocation_endpoint | O | SMART on FHIR | Recommended: URL to a server’s revoke endpoint that can be used to revoke a token. |
| capabilities | R | SMART on FHIR | SMART capabilities (e.g., single-sign-on or launch-standalone) that the server supports. |
| issuer | R | IUA | The Authorization Server’s issuer identifier. |
| jwks_uri | R | IUA | URL of the Authorization Server’s JWK Set [RFC7517, Section 5] document. |
| access_token_format | O | IUA | JSON string defining the format of the access token as provided by the Authorization Server. Values are “ihe_jwt” or “ihe_saml”.#21 |
The Authorization Client or Resource Server MAY read the URL of the IUA Authorization Server and redirect the User Agent to the Authorization Server.
There are no further requirements beyond those defined in the SMART on FHIR specification.
GET {URL-Server}/.well-known/smart-configuration HTTP/1.1
{
"authorization_endpoint": "https://ehr.example.com/auth/authorize",
"token_endpoint": "https://ehr.example.com/auth/token",
"token_endpoint_auth_methods_supported": ["client_secret_basic"],
"registration_endpoint": "https://ehr.example.com/auth/register",
"scopes_supported": ["openid", "profile", "launch", "launch/patient", "patient/*.*", "purpose_of_use=*", "subject_role=*", "person_id=*", "principal=*", "principal_id=*", "organization=*", "organization=_id*", "access_token_format=*"],
"response_types_supported": ["code", "code id_token", "id_token", "refresh_token"],
"grant_types_supported": ["client_credentials", "authorization_code", "id_token", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer"],
"management_endpoint": "https://ehr.example.com/user/manage",
"revocation_endpoint": "https://ehr.example.com/user/revoke",
"capabilities": ["launch-ehr", "client-public", "client-confidential-symmetric", "context-ehr-patient", "sso-openid-connect"],
"issuer": ["launch-ehr", "client-public", "client-confidential-symmetric", "context-ehr-patient", "sso-openid-connect"],
"jwks_uri": "https://ehr.example.com/auth/jws",
"access_token_format": "ihe_jwt"
}
There are no special security requirements for this transaction.