Skip to main content

Authentication and Identity

Medplum supports multiple authentication configurations, with the intent to enable required compliance and integration scenarios. Implementations commonly use multiple authentication and authorization methods.

This section covers Medplum's authentication tools (are you who you say you are?). Several authentication methods (e.g. Google Authentication) are supported.

Authorization (what can you do?) are distinct in Medplum, and covered in the Authorization and Access Controls section.

Login Flowchart

The User Management Guide describes the Medplum user and project isolation model. Users can belong to multiple Medplum projects, and the service supports multiple types of authentication.

The following diagram shows an overview of the process. Endpoints are provided to illustrate and inform, but implementors should only use OAuth endpoints or React components.

Auth flow

Click to Enlarge

There are four major stages in the login flow: Domain, Credentials, Profile, Scope. The table below describes the authentication actions the Medplum server performs at each stage, along with the associated endpoints.

StageDescriptionInvolved endpoints
DomainIn the Domain phase, the preferred authentication method is determined, either by the user selecting a method, by configuration or based on email domain.auth/method
auth/external
CredentialsIn the Credentials phase of login the authentication credentials are collected and sent to service of choice and authentication performed.auth/login
auth/external
auth/mfa
ProfileIn the Profile phase, if the user is a member of multiple projects, one must be selected to proceedauth/profile
auth/me
ScopeIf SMART-on-FHIR scopes were provided, they need to be selected and access to them determined. Access control is applied where configured and authorization determined.auth/scope

Resources and Reference