Skip to content
/ keycloak-smart-fhir Public

A custom Service Provider Interface (extension) for Keycloak that supports SMART on FHIR EHR-Launch.

License

Apache-2.0 license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zedwerks/keycloak-smart-fhir

BranchesTags

Repository files navigation

keycloak-smart-fhir

Badge-License

Badge-Stable

About

This is a custom Service Provider Interface (extension) for Keycloak that supports SMART on FHIR EHR-Launch.

  • Support for mapping 'patient' context response into JWT JSON response as well as Bearer Token.
  • Support for fhirUser claim in ID Token, a URL representing the authenticated user (as RelatedPerson, or Practitioner or Patient)
  • Support for EHR-Launch flow, processing the 'launch' scope and request parameter and resolving to resource identifier via an external Context API server.
  • The above is managed via custom mappers and custom Auth Flows that are configured to allow SMART on FHIR.
  • Support for mandatory aud audience request parameter for SMART on FHIR, with additional support for this aliased to audience or resource. As per SMART on FHIR specs, this audience value must be a fully qualified base FHIR Server endpoint.
  • Configuration to set the allowable FHIR resource servers as part of the 'aud' request parameter.

Packaging the Extensions

Using Maven:

cd smart-on-fhir-spi
mvn clean package
cp target/*.jar $KEYCLOAK_HOME/standalone/deployments

Release

  • Supports Kecyloak 26. For suppport for previous editions, see tags and or release packages.

Keycloak Auth Flow Configuration

See example-usage folder. Alternatively,

  1. Login to your Realm in Keycloak as an administrator.
  2. Go to Authentication Menu.
  3. Create or Edit a Custom Auth Flow.
  4. Select "Add Execution"
  5. Pick from the list, this Custom Authenticator for EHR-Launch.
  6. Setup the Environment configuration variables (more on this later).

Try out a client app with scope of launch and a launch={context_token_goes_here} request parameter.

Use Terraform

Use the included terraform scripts to configure FHIR scopes, and create a default auth flow that includes the SMART on FHIR custom flow steps.

The auth flows have no impact if the auth request is not a SMART on FHIR request.

see the folder example for details.

In order for these extensions to work, you must use the flow structure as defined in the Terraform file:

example/terraform/auth_flow_smart_browser.tf

Quick Start

See the postman library.

  1. Use EMR client to authenticate the user, alice.
  2. Set a context
  3. Authenticate using the SMART client and examine the resonse JSON and Bearer Token.

Quick start script

sh quick-start.sh

This quick start allows you to try out this Keycloak extension and related configurations. It expects that you have Docker Desktop installed.

This will build and deploy the docker group/bundle consisting of two services:

To try this out, use Postman. Included in this repo, is example/postman folder containing a postman collection you can import into Postman app. To try out the smart service.

About

A custom Service Provider Interface (extension) for Keycloak that supports SMART on FHIR EHR-Launch.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 7

Release v1.2 (Keycloak 26) Latest
Dec 4, 2024
+ 6 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages