AJ FHIR Smart Auth Server
v1.0.0 ยท Spring Authorization Server 1.3 ยท Spring Boot 3.3 ยท Java 21 ยท Apache 2.0
The AJ FHIR Auth Server is the authorization layer that sits between SMART client apps and a HAPI FHIR JPA server. It implements the complete SMART App Launch v2.2 protocol โ PKCE S256, dynamic SMART discovery, EHR launch tokens, SMART token extras (patient, encounter, need_patient_banner), OIDC id_token, and scope enforcement โ without requiring Epic.
It runs on port 9000.
What it doesโ
SMART Client :8081 Auth Server :9000 HAPI FHIR :8080
โ โ โ
โโโ GET /.well-known/ โโโโโโโโโโบโ โ
โ smart-configuration โ โ
โโโ authorization_endpoint โโโโโโ โ
โ token_endpoint, jwks_uri โ โ
โ โ โ
โโโ GET /oauth2/authorize โโโโโโโบโ โ
โ ?launch=TOKEN&code_challengeโ โ
โ &scope=launch+openid+... โ โ
โ โ SmartTokenCustomizer: โ
โโโ POST /oauth2/token โโโโโโโโโโบโ resolves launch token โ
โโโ { โ โ patient, encounter โ
โ access_token, โ โ
โ patient, โโโโโโโโโโโโค SmartTokenResponseConverter: โ
โ encounter, โ promotes to top-level JSON โ
โ need_patient_banner, โ โ
โ id_token โ โ
โ } โ โ
โ โ โ
โโโ GET /fhir/Observation โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบ โ
โ Authorization: Bearer ... โ SmartScopeAuthInterceptor โ
โโโ 200 OK (or 403 if no scope)โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
Key componentsโ
| Class | Package | Role |
|---|---|---|
AuthorizationServerConfig | auth | Two SecurityFilterChain beans โ OAuth2 protocol endpoints + portal/login |
SmartTokenCustomizer | token | Adds patient, encounter, need_patient_banner to access token JWT |
SmartTokenResponseConverter | token | Writes SMART extras as top-level fields in the token response body |
SmartDiscoveryController | discovery | Serves GET /.well-known/smart-configuration |
LaunchContextService | launch | Creates and resolves single-use, 5-minute EHR launch tokens |
LaunchPortalController | launch | Patient picker portal โ clinician login + patient select + launch redirect |
JpaRegisteredClientRepository | auth | PostgreSQL-backed SMART app registry |
RsaKeyConfig | oidc | Generates RSA-2048 signing key pair on startup |
SmartScopeAuthorizationInterceptor | auth | HAPI FHIR interceptor โ enforces patient/Patient.rs scopes |
Port layoutโ
| Port | Service |
|---|---|
| 9000 | This auth server โ OAuth2 endpoints, discovery, portal |
| 8080 | HAPI FHIR JPA server |
| 8081 | SMART Client app |
| 8082 | Consent Manager |
| 8083 | Referral Module |
What it is notโ
This server handles authentication (who you are) and authorization (what you can access). It does not store FHIR clinical data โ that is HAPI FHIR's job. It does not enforce consent beyond SMART scopes โ that is the Consent Manager's job.
Next: Quick Start โ