Auth and Identity

Medplum supports multiple authentication and authorization configurations, with the intent to enable required compliance and integration scenarios. Implementations commonly use multiple authentication and authorization methods.

Authentication (are you who you say you are?) and authorization (what can you do?) are distinct in Medplum. Several authentication methods (e.g. Google Authentication) are supported. Authorization can be determined by Access Policies or SMART-on-FHIR scopes.

Patients, Practitioners and Bots

Users are the representation of identities in Medplum, and each user belongs to one or more Medplum Projects. For a specific project, a user can be either a Practitioner, Patient or Bot. At a high level, Practitioners are staff or administrators, Patients are those receiving care and Bots are designed for programmatic access or integrations.

Users can belong to multiple Medplum projects, and the service supports multiple types of authentication. Below is a diagram that steps through the login logic and process. There are four major stages in the login flow.

Stage	Description	Involved endpoints
Domain	In the Domain phase, the preferred authentication method is determined, either by the user selecting a method, by configuration or based on email domain.	`auth/method` `auth/external`
Credentials	In the Credentials phase of login the authentication credentials are collected and sent to service of choice and authentication performed.	`auth/login` `auth/external` `auth/mfa`
Profile	In the Profile phase, if the user is a member of multiple projects, one must be selected to proceed	`auth/profile` `auth/me`
Scope	If SMART-on-FHIR scopes were provided, they need to be selected and access to them determined. Access control is applied where configured and authorization determined.	`auth/scope`

The following diagram shows an overview of the process. Endpoints are provided to illustrate and inform, but implementors should only use OAuth endpoints or React components.

Auth flow