Preserve SMART launch patient context

I’ve been trying to use a custom social connection to allow EHR users to authenticate with my application. I’m running into an issue of preserving the patient context information that comes with the SMART launch. I have access to the relevant information in the Fetch User Profile script, but (as far as I can tell) not in the post-login action where I can modify the access token issued by Auth0. I considered adding the patient to the user’s app_metadata but I’m concerned about running into an issue if a provider attempts to launch the application for multiple patients at once. Anyone know of a safe way to manage the patient context?

Hey there, interesting topic!

Not sure if I’m totally clear on your use case and concerns.

Do you refer to a situation where more then one user utilise the same device? → the device store all users (patients) context data in a local storage? → And the result is that the recommendations provided by the smart app are made based on mixed data of all users of a device?

Or maybe you attempt to modify user profile data that comes from your custom social connection each time the user sign in / sign up?

I’m new to smart apps but once we understand better your use case and concerns we might provide some insight from the Auth0 IdP perspective. Thanks!

Here is an overview of user metadata management, and here an overview of Configure Identity Provider Connection for User Profile Updates.

The use case here is the user is a healthcare provider in their EHR system (eg Epic, Cerner, etc). Within the EHR they can visit a patient chart for a particular patient and can have multiple “tabs” for different patient charts. From a given patient chart, the provider will launch my app (an SPA) which will appear in an iframe in the patient chart. Launching the app from another patient’s chart in another tab will result in another SMART launch/OAuth 2 handshake. We want the app to show information specific to the patient and, critically, we never want to show information for the wrong patient in another patient’s chart.
As a part of the SMART launch, we get the patient ID alongside the access token and id token. The app front-end can keep track of which patient it should be showing, but the challenge is getting that patient id to the front end.