Skip to main content

Auth and Identity

Medplum supports multiple authentication and authorization configurations, with the intent to enable required compliance and integration scenarios. Implementations commonly use multiple authentication and authorization methods.

Authentication (are you who you say you are?) and authorization (what can you do?) are distinct in Medplum. Several authentication methods (e.g. Google Authentication) are supported. Authorization can be determined by Access Policies or SMART-on-FHIR scopes.

Patients, Practitioners and Bots

Users are the representation of identities in Medplum, and each user belongs to one or more Medplum Projects. For a specific project, a user can be either a Practitioner, Patient or Bot. At a high level, Practitioners are staff or administrators, Patients are those receiving care and Bots are designed for programmatic access or integrations.

Login Flowchart

Users can belong to multiple Medplum projects, and the service supports multiple types of authentication. Below is a diagram that steps through the login logic and process. There are four major stages in the login flow.

StageDescriptionInvolved endpoints
DomainIn the Domain phase, the preferred authentication method is determined, either by the user selecting a method, by configuration or based on email domain.auth/method
CredentialsIn the Credentials phase of login the authentication credentials are collected and sent to service of choice and authentication performed.auth/login
ProfileIn the Profile phase, if the user is a member of multiple projects, one must be selected to proceedauth/profile
ScopeIf SMART-on-FHIR scopes were provided, they need to be selected and access to them determined. Access control is applied where configured and authorization determined.auth/scope

The following diagram shows an overview of the process. Endpoints are provided to illustrate and inform, but implementors should only use OAuth endpoints or React components.

Auth flow

Click to Enlarge

Resources and Reference