Secure by Choice: OAuth2 and JWKS in FHIR Architectures

Secure by Choice: OAuth2 and JWKS in FHIR Architectures

In the healthcare world, the security design usually follows a strict pattern: Identity is external. Your FHIR server shouldn’t be managing passwords. Instead, it should trust an authoritative Identity Provider (IdP) like Keycloak, Auth0, or Okta.

In this tutorial, we’ll explore the Security Layer implemented in hapi-fhir-groovy.

The Security Flow

  1. User Login: The client app authenticates with the IdP and receives a JWT Bearer Token.
  2. FHIR Request: The client sends the token in the Authorization header to the FHIR server.
  3. Validation: The FHIR server fetches the public keys (JWKS) from the IdP and verifies the token’s signature and expiration.
  4. Access: If valid, the request proceeds.

Tutorial: Enabling Security

Step 1: Configure your Identity Provider

Ensure you have an OpenID Connect (OIDC) realm created. Note down your JWKS URL (e.g., http://keycloak/realms/demo/protocol/openid-connect/certs).

Step 2: Update Server Configuration

In your FHIR server’s environment or application.yaml, toggle security on:

security:
  enabled: true
  server: "http://keycloak/realms/demo"
  jwks: "http://keycloak/realms/demo/protocol/openid-connect/certs"

Step 3: Deployment

When you start the server with SECURITY_ENABLED=true, the SecurityInterceptor is automatically registered. Any request without a valid token will now return a 401 Unauthorized status.

Tutorial: Custom Authentication Logic

What if you need to extract specific claims (like “Clinic ID”) from the token and use them as a “Tenant ID” for multi-tenancy?

Our AccessTokenValidation service exposes the JWT claims, making it easy to build custom logic:

@Autowired
private AccessTokenValidation tokenValidator;

// Inside an interceptor
public void handle(HttpServletRequest request) {
    var claims = tokenValidator.getClaimsFromToken(token);
    var clinicId = claims.get("clinic_id");
    // Secure the request context based on clinicId
}

The Architect’s Design: SMART on FHIR Scopes

In a real-world ecosystem, security is more than just “logged in”. We use Scopes to limit what an application can do.

  • patient/Patient.read: Allows the app to read the patient’s record but not modify it.
  • user/Observation.write: Allows the practitioner to record new vitals.
  • Our SecurityInterceptor can be extended via Groovy to inspect these scopes in the JWT and enforce granular access control at the resource level.

The Architect’s Verdict: From Authn to Authz

By using JWKS (JSON Web Key Sets), the FHIR server doesn’t need to store any secrets. It simply validates signatures using public keys provided by the IdP. This “Stateless Security” pattern is highly scalable and adheres to SMART on FHIR principles, ensuring your patient data stays safe without adding administrative overhead.

For more, check doc/security.md.

Related Content

Compliant by Design: Automated FHIR Auditing

Compliant by Design: Automated FHIR Auditing

How to implement structured, FHIR-native audit trails that satisfy HIPAA and GDPR requirements using the AuditEvent resource.

FHIR AuditEvent Compliance
The Language of Healthcare: Expanding FHIR Terminology Capabilities

The Language of Healthcare: Expanding FHIR Terminology Capabilities

A FHIR server is more than a database—it's a clinical translator. Explore how we've extended terminology support for expansions, lookups, and validation.

FHIR Terminology LOINC
Heavy Lifting: Managing Background Jobs in HAPI FHIR

Heavy Lifting: Managing Background Jobs in HAPI FHIR

Master the art of managing long-running FHIR tasks like Bulk Export and Reindexing, and learn how to implement your own scheduled jobs.

FHIR Batch Performance
Observability at Scale: Prometheus and Grafana for FHIR

Observability at Scale: Prometheus and Grafana for FHIR

Stop flying blind. Learn how to integrate Prometheus and Grafana to gain real-time insights into your FHIR server's performance and health.

FHIR Observability Prometheus
Seamless Interoperability: Dynamic Loading of FHIR Implementation Guides

Seamless Interoperability: Dynamic Loading of FHIR Implementation Guides

Learn how to dynamically manage FHIR Implementation Guides (IGs) without restarting your server, ensuring your data models stay up to date.

FHIR Implementation Guide IG
Dynamic FHIR Logic: Hot-Reloading Business Rules with Groovy

Dynamic FHIR Logic: Hot-Reloading Business Rules with Groovy

Learn how to extend your HAPI FHIR server at runtime using Groovy scripts, allowing for hot-reloadable Interceptors and Resource Providers.

FHIR Groovy Architecture
Orchestrating the Perfect FHIR Sandbox: The Power of Synthea and Flexporter

Orchestrating the Perfect FHIR Sandbox: The Power of Synthea and Flexporter

How to move beyond static test data by combining the scale of Synthea with the precision of Flexporter to build realistic, custom healthcare environments.

Synthea Flexporter FHIR
Bridge the Gap: IEC 81001-5-1 and Architectural Documentation as Code

Bridge the Gap: IEC 81001-5-1 and Architectural Documentation as Code

How to leverage 'Documentation as Code' to meet the rigorous architectural and security requirements of IEC 81001-5-1 in healthcare software development.

Architecture IEC 81001-5-1 Documentation