Configuration
Configuration filesโ
| File | Purpose |
|---|---|
application.yml | Base defaults โ all environments |
application-dev.yml | H2 in-memory DB โ no PostgreSQL needed |
SMART server propertiesโ
Bound to SmartServerProperties record. All validated at startup.
smart:
server:
fhir-base-url: ${FHIR_BASE_URL:http://localhost:8080/fhir}
issuer-url: ${ISSUER_URL:http://localhost:9000}
access-token-ttl-seconds: 3600
refresh-token-ttl-seconds: 86400
default-need-patient-banner: true
| Property | Env var | Default | Validation | Description |
|---|---|---|---|---|
smart.server.fhir-base-url | FHIR_BASE_URL | http://localhost:8080/fhir | @NotBlank | FHIR server URL โ used as ISS. SMART clients discover auth from {fhirBaseUrl}/.well-known/smart-configuration |
smart.server.issuer-url | ISSUER_URL | http://localhost:9000 | @NotBlank | This auth server's URL โ appears in id_token iss claim and discovery document |
smart.server.smart-client-launch-url | SMART_CLIENT_LAUNCH_URL | http://localhost:8081/launch | @NotBlank | URL of the SMART client app. The patient picker portal redirects clinicians here after creating a launch token. Must be updated for any non-local deployment. |
smart.server.access-token-ttl-seconds | โ | 3600 | @Min(60) | Access token lifetime in seconds |
smart.server.refresh-token-ttl-seconds | โ | 86400 | @Min(60) | Refresh token lifetime in seconds (24 hours) |
smart.server.default-need-patient-banner | โ | true | โ | Default need_patient_banner when not specified per launch |
smart.server.fhir-base-urlโ
This is the most important property. It is the URL that SMART clients use as the ISS. The auth server embeds this URL in the discovery document so clients know which FHIR server this auth server protects.
# Local dev โ HAPI running on same machine
smart.server.fhir-base-url: http://localhost:8080/fhir
# Production
smart.server.fhir-base-url: https://fhir.yourplatform.com/fhir
smart.server.issuer-urlโ
Appears in:
id_tokenissclaim โ SMART clients validate this matches the expected auth server/.well-known/smart-configurationโissuerfieldAuthorizationServerSettings.issuer()โ Spring Authorization Server uses this to setissin all JWTs
Database configurationโ
=== "Dev (H2)"
# application-dev.yml โ active with -Dspring-boot.run.profiles=dev
spring:
datasource:
url: jdbc:h2:mem:smartfhirdev;DB_CLOSE_DELAY=-1
username: sa
password:
driver-class-name: org.h2.Driver
jpa:
hibernate:
ddl-auto: create-drop
h2:
console:
enabled: true # โ http://localhost:9000/h2-console
=== "Production (PostgreSQL)"
spring:
datasource:
url: $\{DB_URL:jdbc:postgresql://localhost:5432/smartfhir\}
username: $\{DB_USER:smartfhir\}
password: $\{DB_PASSWORD\}
driver-class-name: org.postgresql.Driver
jpa:
hibernate:
ddl-auto: update
properties:
hibernate:
dialect: org.hibernate.dialect.PostgreSQLDialect
Server portโ
server:
port: 9000 # default โ auth server
The HAPI FHIR JPA server runs on port 8080 by default. The two servers must be on different ports.
Environment variable referenceโ
| Variable | Property | Required | Description |
|---|---|---|---|
FHIR_BASE_URL | smart.server.fhir-base-url | Yes | FHIR server base URL |
ISSUER_URL | smart.server.issuer-url | Yes | Auth server URL (this server) |
DB_URL | spring.datasource.url | Production | PostgreSQL JDBC URL |
DB_USER | spring.datasource.username | Production | Database username |
DB_PASSWORD | spring.datasource.password | Production | Database password |
Startup validationโ
SmartServerProperties is validated at startup via Bean Validation. If required properties are missing, the server exits immediately:
APPLICATION FAILED TO START
Field error in object 'smart.server' on field 'fhirBaseUrl':
rejected value [null];
message: smart.server.fhir-base-url must be set (FHIR_BASE_URL env var)
Loggingโ
logging:
level:
com.ajfhir.auth: DEBUG
org.springframework.security: INFO
org.springframework.security.oauth2: DEBUG
Raise spring.security.oauth2 to DEBUG to trace the full authorize/token flow in the logs.