Authorization
You must have a preexisting account (username and password) to access Oracle Health Millennium Platform and permission to use the REST API. To request access to the REST API, contact your Oracle Health Millennium Platform administrator.
Overview
The Oracle Health implementation of the HL7 FHIR standard is protected using the Smart App Launch Framework and the SMART Backend Services: Authorization Guide. Oracle Health EHR APIs are also protected with SMART authorization, enabling the development of applications that are secured through a single authorization mechanism. SMART defines profiles of the OAuth 2.0 framework for obtaining authorization to act on behalf of users and nonperson system actors. Review and understand the OAuth 2.0 framework before implementing the authorization workflow.
The following IETF publications are recommended for review:
- The OAuth 2.0 Authorization Framework
- OAuth 2.0 Threat Model and Security Considerations
- OAuth 2.0 Security Best Current Practice
- The OAuth 2.0 Authorization Framework: Bearer Token Usage
- OAuth 2.0 for Native Apps
This guide provides the following information:
- A technical overview for securely obtaining authorization on behalf of a user or a system using the Oracle Health authorization server.
- Guidance for providing an optimal authorization user experience across a broad range of platforms.
- Guidance for providing broad compatibility across a diverse range of deployment scenarios.
- Answers to frequently asked questions.
Features of the authorization model
The use of an authorization protocol offers additional security for users and enterprises by abstracting the credentials used to authenticate to the EHR away from client applications. Under this model, restrictions can be applied to what actions a client application can perform on behalf of the user. These restrictions are not possible in traditional models where the application has direct access to the user's credentials.
By abstracting authentication away from client applications, the risk of compromising such credentials is decreased, and you have more flexibility to offer differing forms of authentication, such as Microsoft Windows Hello or Apple Touch ID.
The token model employed by the OAuth 2.0 framework provides a useful means in a distributed-service ecosystem to enforce frequent validation that access has not otherwise been revoked or expired.
Differentiating SMART and FHIR
The HL7 FHIR standard defines an API to access information in an electronic health record (EHR) system.
SMART defines an API for applications to obtain authorization access to FHIR or other Oracle Health API resources and exchange context information with client applications.
Oracle Health implements the following versions of SMART: