CH EPR mHealth (R4)
3.0.0-ballot - ballot Switzerland flag

This page is part of the CH EPR mHealth (R4) (v3.0.0-ballot: Draft Ballot 1) based on FHIR R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions

Get Authorization Server Metadata [ITI-103]

Scope

At launch time the app may connect to the Authorization Server to retrieve the configuration data. The Authorization Server responds with the configuration data and the Authorization Server endpoint the app shall direct the User Agent to.

Actor Roles

Actor: Authorization Client or Resource Server
Role: Sends a request to the Authorization Server to retrieve configuration data and the server endpoint to redirect the User Agent to.
Actor: Authorization Server
Role: Responds with the FHIR Server configuration data.

Referenced Standards

IHE ITI Technical Framework Supplement Internet User Authorization (IUA) Revision 2.1
SMART Application Launch Framework Implementation Guide Release 1.0.0

Messages

Interaction Diagram for [ITI-103]Authorization ClientorResource ServerAuthorization ClientorResource ServerAuthorization ServerAuthorization Server[00]Authorization Server Metadata Request[01]Authorization Server Metadata Response

Trigger Events

A mHealth App or a Resource server wants to retrieve the Authorization Server configuration data. A mHealth App is launched in a SMART on FHIR launch sequence.

Message Semantics

Request

The Authorization Client or Resource Server performs a HTTP GET request to the Authorization Server. The request SHALL neither use parameter nor body data.

Response

The Authorization Server SHALL response with a HTTP response conveying a JSON formatted object as HTTP body element. The JSON object SHALL convey the following attributes:

Attribute Optionality Reference Description
authorization_endpoint R SMART on FHIR / IUA URL to the IUA Authorization Server endpoint.
token_endpoint R SMART on FHIR / IUA Authorization Server’s Authorization token end-point location.
token_endpoint_auth_methods O SMART on FHIR Client authentication methods supported by the token endpoint. The options are “client_secret_post” and “client_secret_basic”. #19
registration_endpoint O SMART on FHIR URL to the OAuth2 dynamic registration endpoint for this FHIR server.
scopes_supported O SMART on FHIR / IUA Recommended: Supported scopes.
response_types_supported O SMART on FHIR / IUA Recommended: Supported OAuth2.1 response_type values.
grant_types_supported R IUA SHALL be “authorization_code”.
management_endpoint O SMART on FHIR URL an end-user can view which applications currently have access to data and can make adjustments to these access rights.
revocation_endpoint O SMART on FHIR Recommended: URL to a server’s revoke endpoint that can be used to revoke a token.
capabilities R SMART on FHIR SMART capabilities (e.g., single-sign-on or launch-standalone) that the server supports.
issuer R IUA The Authorization Server’s issuer identifier.
jwks_uri R IUA URL of the Authorization Server’s JWK Set [RFC7517, Section 5] document.
access_token_format O IUA JSON string defining the format of the access token as provided by the Authorization Server. Values are “ihe_jwt” or “ihe_saml”.#21
Attributes of the Get metadata transaction

Expected Actions Authorization Client or Resource Server

The Authorization Client or Resource Server MAY read the URL of the IUA Authorization Server and redirect the User Agent to the Authorization Server.

Expected Actions Authorization Server

There are no further requirements beyond those defined in the SMART on FHIR specification.

Message Example

Request

GET {URL-Server}/.well-known/smart-configuration  HTTP/1.1

Response

{
    "authorization_endpoint": "https://ehr.example.com/auth/authorize",
    "token_endpoint": "https://ehr.example.com/auth/token",
    "token_endpoint_auth_methods_supported": ["client_secret_basic"],
    "registration_endpoint": "https://ehr.example.com/auth/register",
    "scopes_supported": ["openid", "profile", "launch", "launch/patient", "patient/*.*", "purpose_of_use=*", "subject_role=*", "person_id=*", "principal=*", "principal_id=*", "organization=*",  "organization=_id*", "access_token_format=*"],
    "response_types_supported": ["code", "code id_token", "id_token", "refresh_token"],
    "grant_types_supported": ["client_credentials", "authorization_code", "id_token", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer"],
    "management_endpoint": "https://ehr.example.com/user/manage",
    "revocation_endpoint": "https://ehr.example.com/user/revoke",
    "capabilities": ["launch-ehr", "client-public", "client-confidential-symmetric", "context-ehr-patient", "sso-openid-connect"],
    "issuer": ["launch-ehr", "client-public", "client-confidential-symmetric", "context-ehr-patient", "sso-openid-connect"],
    "jwks_uri": "https://ehr.example.com/auth/jws",
    "access_token_format": "ihe_jwt"
}

Security Consideration

There are no special security requirements for this transaction.