Authentication and Identity
Medplum supports multiple authentication configurations, with the intent to enable required compliance and integration scenarios. Implementations commonly use multiple authentication and authorization methods.
This section covers Medplum's authentication tools (are you who you say you are?). Several authentication methods (e.g. Google Authentication) are supported.
Authorization (what can you do?) are distinct in Medplum, and covered in the Authorization and Access Controls section.
The User Management Guide describes the Medplum user and project isolation model. Users can belong to multiple Medplum projects, and the service supports multiple types of authentication.
The following diagram shows an overview of the process. Endpoints are provided to illustrate and inform, but implementors should only use OAuth endpoints or React components.
There are four major stages in the login flow: Domain, Credentials, Profile, Scope. The table below describes the authentication actions the Medplum server performs at each stage, along with the associated endpoints.
|Domain||In the Domain phase, the preferred authentication method is determined, either by the user selecting a method, by configuration or based on email domain.|
|Credentials||In the Credentials phase of login the authentication credentials are collected and sent to service of choice and authentication performed.|
|Profile||In the Profile phase, if the user is a member of multiple projects, one must be selected to proceed|
|Scope||If SMART-on-FHIR scopes were provided, they need to be selected and access to them determined. Access control is applied where configured and authorization determined.|