This page is part of the Smart App Launch Implementation Guide (v2.2.0: STU 2.2) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions
This profile describes SMART’s
client-confidential-symmetric
authentication mechanism. It is intended
for SMART App Launch clients that can maintain a secret but cannot manage asymmetric keypairs. For clients that can manage asymmetric keypairs, Asymmetric Authentication is preferred. This profile is not intended for SMART Backend Services clients.
client_secret
If a client has registered for Client Password authentication (i.e.,
it possesses a client_secret
that is also known to the EHR), the client
authenticates by supplying an Authorization
header with HTTP Basic authentication,
where the username is the app’s client_id
and the password is the app’s
client_secret
.
If the client_id
is “my-app” and the client_secret
is “my-app-secret-123”,
then the header uses the value B64Encode(“my-app:my-app-secret-123”), which
converts to bXktYXBwOm15LWFwcC1zZWNyZXQtMTIz
. This gives the app the Authorization
token for “Basic Auth”.
GET header:
Authorization: Basic bXktYXBwOm15LWFwcC1zZWNyZXQtMTIz