Scope Interceptor

What it does

SmartScopeAuthorizationInterceptor is a HAPI @Interceptor that fires on SERVER_INCOMING_REQUEST_PRE_HANDLED for every FHIR request:

Reads Authorization: Bearer {token} from the header
Verifies the RS256 signature using the Auth Server's JWKS
Extracts the scope claim
Checks the requested resource type and HTTP method against granted scopes
Throws ForbiddenOperationException if access is denied

Registering on HAPI

@Bean
public SmartScopeAuthorizationInterceptor scopeInterceptor() throws Exception {
    JWKSet jwkSet = JWKSet.load(
        new URL("http://localhost:9000/oauth2/jwks"));
    RSAKey rsaKey = (RSAKey) jwkSet.getKeys().get(0);
    return new SmartScopeAuthorizationInterceptor(rsaKey);
}

Then in your HAPI RestfulServer.initialize():

registerInterceptor(scopeInterceptor());

SMART scope grammar

Scope	Permits
`patient/Patient.rs`	Read and search Patient resources
`patient/Observation.rs`	Read and search Observation resources
`patient/*.rs`	Read and search all patient resource types
`patient/Condition.cruds`	Full access to Condition resources

Operation letter mapping:

HTTP	Letter
`GET /{id}`	`r`
`GET ?param=`	`r` (the interceptor does not distinguish read vs search — use Consent Manager for `r` vs `s` distinction)
`POST`	`c`
`PUT` / `PATCH`	`u`
`DELETE`	`d`

Error response

{
  "resourceType": "OperationOutcome",
  "issue": [{
    "severity": "error",
    "code": "forbidden",
    "details": {
      "text": "Insufficient scope for GET on Observation. Required: patient/Observation.r or patient/*.rs"
    }
  }]
}

Scope Interceptor

What it does​

Registering on HAPI​

SMART scope grammar​

Error response​

What it does

Registering on HAPI

SMART scope grammar

Error response