SMART App Launch v2.2
The platform implements the full SMART App Launch Framework v2.2.
What's implementedโ
| Requirement | Component | Status |
|---|---|---|
| EHR launch | Auth Server + Client | โ |
| Standalone launch | Auth Server + Client | โ |
| PKCE S256 | Both | โ
requireProofKey(true) |
Dynamic discovery (/.well-known/smart-configuration) | Auth Server + HAPI Plugin | โ |
jwks_uri in discovery | Auth Server | โ |
introspection_endpoint | Auth Server | โ |
launch-ehr capability | Auth Server | โ |
launch-standalone capability | Auth Server | โ |
patient, encounter as top-level token response fields | Auth Server | โ |
need_patient_banner | Auth Server | โ |
| RS256 signed access token | Auth Server | โ |
OIDC id_token with fhirUser | Auth Server | โ |
| Token refresh with rotation | Auth Server | โ |
SMART scope enforcement (.rs, .read) | HAPI Plugin | โ |
| IdP federation | Auth Server | โ Azure AD, Okta, Epic IdP |
| Consent directives | Consent Manager | โก v1.1.0 |
| Backend Services | โ | โ v2.0.0 |
PKCE implementationโ
RFC 7636 S256 in the SMART Client:
// 96-byte verifier (768-bit entropy โ exceeds spec minimum of 32 bytes)
byte[] verifierBytes = new byte[96];
new SecureRandom().nextBytes(verifierBytes);
String codeVerifier = Base64.getUrlEncoder().withoutPadding()
.encodeToString(verifierBytes);
// S256 challenge
byte[] digest = MessageDigest.getInstance("SHA-256")
.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
String codeChallenge = Base64.getUrlEncoder().withoutPadding()
.encodeToString(digest);
Discovery documentโ
{
"authorization_endpoint": "https://auth.demo.ajsmart.com/oauth2/authorize",
"token_endpoint": "https://auth.demo.ajsmart.com/oauth2/token",
"introspection_endpoint": "https://auth.demo.ajsmart.com/oauth2/introspect",
"jwks_uri": "https://auth.demo.ajsmart.com/oauth2/jwks",
"issuer": "https://auth.demo.ajsmart.com",
"token_endpoint_auth_methods_supported": ["none", "client_secret_basic", "client_secret_post"],
"capabilities": ["launch-ehr", "launch-standalone", "client-public",
"context-ehr-patient", "context-ehr-encounter",
"permission-patient", "permission-user", "sso-openid-connect"],
"code_challenge_methods_supported": ["S256"]
}