AJ Auth Server v0.2.3 · Apache 2.0 · Port 9000

SMART App Launch v2.2
done right.

Complete SMART on FHIR authorisation server. PKCE S256 with 96-byte verifier (3× spec minimum). RS256 id_token. Launch context as top-level JSON fields. Azure AD, Okta, Epic IdP, and ADFS federation. 90 tests. Apache 2.0.

Get started →SMART launch flow

Standard:SMART v2.2PKCE S256RFC 7636RS256OpenID Connect

What the Auth Server does right

Most SMART implementations get the token response wrong. This one does not.

🔐

PKCE S256 enforced

96-byte verifier, 768-bit entropy — 3× the RFC 7636 minimum. Code challenge method S256 is non-negotiable. Plain PKCE is rejected.

📄

Patient context top-level

patient, encounter, and need_patient_banner are top-level JSON fields in the token response — not buried inside the JWT. SMART v2.2 spec §7.1 compliant.

🏢

IdP federation

Azure AD, Okta, Epic IdP, ADFS, and any OpenID Connect provider. Clinicians use existing hospital credentials — no new password store.

⚡

Atomic launch tokens

Single-use launch context stored as an atomic INSERT. Replay attacks prevented. Token expires after first use or 10 minutes.

🔑

RS256 id_token

fhirUser claim in the id_token identifies the clinician as a FHIR Practitioner reference. Verifiable with the JWKS public key.

🆓

Apache 2.0

Free to use. 90 tests. Spring AS 1.3 under the hood. Drop the JAR into any Spring Boot FHIR deployment.

The SMART server your EHR integration deserves.

Apache 2.0 — deploy it today alongside your HAPI FHIR server. Full docs and test suite included.

Get started →Full docs at open.akhester.com →

SMART App Launch v2.2done right.

What the Auth Server does right

The SMART server your EHR integration deserves.

SMART App Launch v2.2
done right.