Access Controls
Introduction
Introduction
Medplum supports multiple authentication and authorization configurations, with the intent to enable required compliance and integration scenarios. Implementations commonly use multiple authentication and authorization methods.
Medplum supports three primary authentication integration patterns, summarized by the following diagram. Each has its own use case. An implementation can use multiple or all patterns for different use cases.
The Medplum API uses standard OAuth2/OpenID authentication. The "Client Credentials Flow" is recommended for machine-to-machine access.
Many SaaS products including popular services like Stripe and Okta support Webhooks, allowing a web application to register a Medplum URL to receive notifications. When a certain event occurs in the source application, such as a new user signup or a change to a record, the source application sends an HTTP POST request to the URL registered by the destination application. This HTTP POST request contains information about the event that occurred.
Some server actions send email messages to users. For example, when a user creates a new account, the server sends a "Welcome" email message. On Medplum's hosted environment, the email will include a link to "https://app.medplum.com/setpassword/...".
Medplum supports external identity providers such as Auth0 and AWS Cognito for end user authentication. This is sometimes known as "Federated Identities".
Google Authentications allows users to log in to your application using their Google profile.
Introduction
There are two different methods to "logout" and revoke access tokens:
Introduction
This guide walks through how to set up Okta authentication for your domain.
SMART on FHIR’s authorization scheme uses OAuth2 scopes to communicate (and negotiate) access requirements.
This guide walks through how to create and manage users via the Medplum App and via API. Medplum supports multiple authentication options, but always maintains a representation of the user identities, and gives developers control over which authentication method to use for an identity, as well as what access controls are applied.
By default, Medplum uses email address as a unique identifier for a user. When using External Identity Providers, you may instead want to use the external ID rather than email. This document describes the additional changes to use external ID.