Auth and Identity
Medplum supports multiple authentication and authorization configurations, with the intent to enable required compliance and integration scenarios. Implementations commonly use multiple authentication and authorization methods.
Authentication (are you who you say you are?) and authorization (what can you do?) are distinct in Medplum. Several authentication methods (e.g. Google Authentication) are supported. Authorization can be determined by Access Policies or SMART-on-FHIR scopes.
Patients, Practitioners and Bots
Users are the representation of identities in Medplum, and each user belongs to one or more Medplum Projects. For a specific project, a user can be either a Practitioner, Patient or Bot. At a high level, Practitioners are staff or administrators, Patients are those receiving care and Bots are designed for programmatic access or integrations.
Users can belong to multiple Medplum projects, and the service supports multiple types of authentication. Below is a diagram that steps through the login logic and process. There are four major stages in the login flow.
|Domain||In the Domain phase, the preferred authentication method is determined, either by the user selecting a method, by configuration or based on email domain.|
|Credentials||In the Credentials phase of login the authentication credentials are collected and sent to service of choice and authentication performed.|
|Profile||In the Profile phase, if the user is a member of multiple projects, one must be selected to proceed|
|Scope||If SMART-on-FHIR scopes were provided, they need to be selected and access to them determined. Access control is applied where configured and authorization determined.|
The following diagram shows an overview of the process. Endpoints are provided to illustrate and inform, but implementors should only use OAuth endpoints or React components.