It is very clear to me how an EHR using a SMART application can authenticate that requests coming from the SMART application are legitimately coming from the authentic SMART application. However, I'm not seeing how the SMART application knows that the request coming from the EHR is a legitimate request. Is there a standard way the SMART application can authenticate that the incoming request from an EHR is actually a request from an EHR that the SMART application has registered with? In other words, is there a way that is build into the SMART specification that allows the SMART application to limit use to authenticated registered EHRs? Is there a step in the OAUTH2 protocol that ensures this?
I am looking at the SMART authorization guide here: http://docs.smarthealthit.org/authorization/
and the Cerner tutorial/demo here: http://engineering.cerner.com/smart-on-fhir-tutorial/
We're talking about the "EHR Launch" flow here, where an app has been launched by an EHR. This lauch includes an iss parameter indicating the EHR that (supposedly!) initiated the launch, and an opaque launch parameter.
At this point, the app can't authenticate the request, but it can:
iss value matches the issuer for an EHR that it knows (and for which it has a client_id)client_id, then the launch fails.This is a functional approach to validating the EHR's identity: effectively, the app uses the launch protocol to ask the EHR if this launch is valid.
(Please do raise the point on chat.fhir.org if you think this protocol leaves an important functionality or security gap!)