Authorization
Haste Health implements a layered authorization model that combines OAuth 2.0 scopes, role-based access control (RBAC), and attribute-based access control (ABAC) to provide flexible, fine-grained permissions for healthcare applications.
Authorization Flow
When a user makes an API request:
- Token validation: JWT verified, scopes extracted
- Scope check: Request validated against token scopes (e.g.,
user/Patient.read) - Role check: User's role verified for project access
- Policy evaluation: AccessPolicyV2 resources associated with user evaluated
- Decision: Request allowed only if all checks pass
Authorization Model
┌─────────────────────────────────────────────────────┐
│ API Request │
└─────────────────────┬───────────────────────────────┘
│
▼
┌────────────────────────┐
│ Token Validation │
│ Extract: Scopes, │
│ Role, Policy IDs │
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Scope Check │
│ (OAuth 2.0 Scopes) │◄─── Coarse-grained
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Role Check │
│ (User.role). │◄─── Project-level
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Policy Evaluation │
│ (AccessPolicyV2) │◄─── Fine-grained
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Allow/Deny Access │
└────────────────────────┘
Related Documentation
- Scopes & Permissions: OAuth scopes and SMART on FHIR
- Membership: User-to-Project linking and roles
- Access Control: AccessPolicyV2 and policy engines
- Authentication: OAuth flows and token management
- SMART on FHIR: Healthcare app authorization