I have been investigating how to use Auth0 with FHIR SMART Authorization flow, and found that is currently not possible to do so in accordance with the framework.
Requirements to get SMART working:
To utilize the compartments in FHIR, custom claims needs to be added to the access token. To be able to use scope “Patient/*.*”, the access token need to have a claim named “patient” (excactly), and similar for the other compartments defined in SMART App Launch. The value of the patient claim must be an ID that allows the FHIR-server to identify the patient. It doesn’t have to be the FHIR-server’s internal Patient resource ID. In Norway, for example, we have a national person identifier that can be used for this purpose.
Why Auth0 doesn’t support this:
In Auth0 all custom claims must be prefixed with a custom namespace. It will not allow adding a claim named “patient” to the access token. It will only allow claims named with a custom namespace like “http://smarthealthit.org/fhir/scopes/patient”, but this is not according to the FHIR Smart App launch framework.
I had a support ticket for this, and was got feedback that this is currently not supported. I was asked to raise it as a feature request, which I have done, but I don’t know any timeline for this to be implemented.
[1] https://hl7.org/fhir/smart-app-launch/
[2] http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/