Inferensys

Glossary

OAuth 2.0

An industry-standard authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner without exposing user credentials, foundational to SMART on FHIR security.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
AUTHORIZATION FRAMEWORK

What is OAuth 2.0?

OAuth 2.0 is an industry-standard authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner without exposing user credentials.

OAuth 2.0 is an authorization framework—not an authentication protocol—that issues access tokens to third-party clients with the resource owner's explicit approval. It separates the client's role from the resource owner's, allowing a user to grant a SMART on FHIR application scoped access to their electronic health records without sharing their EHR password. The framework defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials, each suited to different trust scenarios.

In healthcare interoperability, OAuth 2.0 serves as the security backbone for SMART on FHIR applications, enforcing scoped access where a token might permit reading only medication data while blocking access to sensitive notes. The authorization server issues JSON Web Tokens with defined scopes and expiration times, ensuring that a clinical app's access is both limited in breadth and time-bound. This delegation mechanism eliminates the anti-pattern of credential sharing, maintaining audit integrity and HIPAA compliance across federated health information exchanges.

Authorization Framework

Core Characteristics of OAuth 2.0

OAuth 2.0 is an industry-standard protocol for authorization that decouples the client application from the resource owner's credentials, enabling secure, limited access delegation. It is the foundational security layer for modern API ecosystems, including SMART on FHIR.

01

Delegated Authorization, Not Authentication

OAuth 2.0 is fundamentally an authorization framework, not an authentication protocol. It grants a third-party application scoped access to a protected resource on behalf of a resource owner without exposing the owner's long-term credentials (username/password).

  • Analogy: A valet key for a car. The valet can drive the car (limited access) but cannot open the trunk or glove box (restricted scope) and does not possess the owner's master key.
  • Mechanism: The client obtains an access token—a string representing a specific grant—rather than handling raw credentials.
  • Critical Distinction: While often used with authentication protocols like OpenID Connect (OIDC), OAuth 2.0 itself answers "What is this client allowed to do?" not "Who is the user?"
RFC 6749
Core Specification
02

Four Primary Grant Types

The OAuth 2.0 framework defines distinct authorization grant types to accommodate different client types and security postures. Each flow is optimized for a specific use case.

  • Authorization Code Grant: The most secure server-side flow. The client exchanges an intermediary authorization code for an access token, keeping the token away from the user-agent (browser). Required for SMART on FHIR confidential clients.
  • Client Credentials Grant: Used for machine-to-machine (M2M) communication where no user is involved. The client authenticates directly using its client_id and client_secret.
  • Device Authorization Grant: Designed for input-constrained devices (e.g., smart TVs, IoT medical devices) that lack a browser. The user authorizes the device on a secondary screen via a user code.
  • Refresh Token Grant: Allows a client to obtain a new access token without re-prompting the user, using a long-lived, revocable refresh token.
SMART on FHIR
Mandates Auth Code Flow
03

Scoped Access Control

Access tokens are minted with a specific, limited scope that defines the exact permissions the client possesses. This enforces the principle of least privilege.

  • Mechanism: The authorization server presents a list of scopes during the consent screen. The resource server validates the token's scope against the requested action.
  • SMART on FHIR Scopes: SMART defines granular clinical scopes like patient/Observation.read or user/MedicationRequest.write.
  • Example: A scheduling app might receive a token scoped for patient/Appointment.read and patient/Appointment.write, but it cannot read sensitive patient/Observation data (lab results).
  • Token Introspection: Resource servers can call the introspection endpoint (RFC 7662) to verify if a token is active and what scopes it carries.
RFC 7662
Token Introspection
04

Bearer Token Usage and Security

OAuth 2.0 primarily uses Bearer tokens—a type of access token where possession of the token is sufficient to gain access. This simplicity requires strict transport-level security.

  • Usage: The client presents the token in the Authorization: Bearer <token> HTTP header.
  • Security Constraint: Bearer tokens MUST only be transmitted over TLS (HTTPS) to prevent eavesdropping and man-in-the-middle attacks.
  • Validation: Resource servers validate the token's signature (if a JWT) or call the introspection endpoint on every request.
  • Mitigation: Short token lifetimes (e.g., 5 minutes) and refresh token rotation limit the blast radius of a leaked bearer token.
TLS 1.2+
Mandatory Transport
05

Client Registration and Authentication

Before initiating any flow, the client application must be registered with the authorization server to establish a trusted identity.

  • Registration: The developer provides application metadata (name, redirect URIs) and receives a client_id and, for confidential clients, a client_secret.
  • Confidential vs. Public Clients:
    • Confidential Client: A server-side web app capable of securely storing a secret. Authenticates using client_secret_post or private_key_jwt.
    • Public Client: A native mobile or single-page app unable to protect a secret. Must use PKCE (Proof Key for Code Exchange) to prevent authorization code interception.
  • SMART on FHIR Requirement: SMART mandates asymmetric client authentication using JSON Web Keys (JWK) for higher assurance, moving beyond shared secrets.
PKCE
Required for Public Clients
06

Token Revocation and Lifecycle

OAuth 2.0 provides mechanisms to terminate access before a token's natural expiration, which is critical for user logout and security incident response.

  • Token Revocation Endpoint (RFC 7009): Allows a client to signal to the authorization server that a specific access or refresh token should be invalidated immediately.
  • Use Cases:
    • User-initiated logout in a SMART on FHIR app.
    • Detecting a compromised refresh token.
    • Revoking consent for a specific application.
  • Propagation: Revocation is not instantaneous across distributed systems; resource servers should rely on short-lived access tokens and frequent introspection to enforce revocation quickly.
RFC 7009
Token Revocation
OAuth 2.0 IN HEALTHCARE

Frequently Asked Questions

Clear, technical answers to the most common questions about implementing the OAuth 2.0 authorization framework within clinical workflows and SMART on FHIR environments.

OAuth 2.0 is an industry-standard authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner without exposing user credentials. The framework operates through a delegation flow where a resource owner (e.g., a clinician) authorizes a client application (e.g., a SMART on FHIR app) to access protected resources (e.g., patient records on a FHIR server) hosted by a resource server. The core mechanism involves the issuance of an access token—a cryptographically signed string representing the granted permissions—by an authorization server after successful authentication. The client presents this token to the resource server, which validates it before serving data. This decouples authentication from authorization, ensuring that the client never sees the user's password. Key flows include:

  • Authorization Code Grant: The most secure flow, using a front-channel redirect to obtain a one-time code exchanged for tokens on a back-channel.
  • Client Credentials Grant: Used for machine-to-machine communication where no user is involved.
  • Refresh Token: A long-lived credential used to obtain new access tokens silently, avoiding repeated user logins.
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.