1. FHIR Referenced Specifications & Standards
1.1. HL7® FHIR® US Core IG STU 6.1.0
1.2. HL7® Version 4.0.1 FHIR® Release 4, October 30, 2019
1.3. ONC's USCDI v3.1 (United States Core Data for Interoperability)
1.4. HL7® FHIR® Bulk Data Access (V2.0.0:STU 2)
1.5. HL7® SMART Application Launch Framework IG Release 2.0.
1.5.1. oAuth2 Standard (rfc7469)
1.5.2. OIDF OpenID Connect Core 1.0
1.6. Approved SVAP versions
2. Conformance Testing
2.1. Testing Tools
2.1.1. Inferno
2.1.1.1. Installation
2.1.2. Touchstone
2.1.3. Other & Referrence
2.1.3.1. Postman
2.1.3.2. Swagger
2.1.3.3. Synthea (test data generation)
2.2. ONC Procedures
2.3. ONC Test Event
2.4. Drummond Proctor Sheet
2.5. Use Cases
2.5.1. 0-Client App Registration
2.5.2. 1-Standalone Patient App - Full Access
2.5.2.1. SMART on FHIR Discovery
2.5.2.2. Standalone Launch w Patient Scope
2.5.2.3. OpenID Connect
2.5.2.4. Token Refresh
2.5.2.5. Unrestricted UCSDI Resource Access
2.5.3. 2-Standalone Patient App - Limited Access
2.5.3.1. Standalone Launch w. Limited Scope
2.5.3.2. Restricted Resource Type Access
2.5.4. 3-Client App Launch from EHR/Portal
2.5.4.1. SMART on FHIR Discovery
2.5.4.2. EHR Launch w. Practitioner Scope
2.5.4.3. OpenID Connect
2.5.4.4. Token Refresh
2.5.5. 4-Single Patient API
2.5.5.1. Capability Statement
2.5.5.2. USCDI Resource Tests
2.5.6. 5-Multi-Patient API
2.5.6.1. Bulk Data Authorization
2.5.6.2. Group Compartment Export Tests
2.5.6.3. Group Compartment Export Validation Tests
2.5.7. 6-Additional Use Cases
2.5.7.1. Public Client Standalone Launch with OpenID Connect
2.5.7.2. Token Revocation
2.5.7.3. SMART App Launch Error: Invalid AUD Parameter
2.5.7.4. SMART App Launch Error: Invalid Launch Parameter
2.5.7.5. SMART App Launch Error: Invalid Access Token Request
2.5.7.6. Visual Inspection and Attestation
3. Help & Support
3.1. Zulip Streams
3.2. Drummond DAS
3.3. Drummond Portal
3.4. Drummond Account Manaager
4. Additional Topics?
5. Build/Buy
5.1. FHIR Resource Server
5.1.1. Buy
5.1.1.1. *Aidbox FHIR API Module
5.1.1.2. *BlueButton Pro (Darena)
5.1.1.3. *Carefluence Open API
5.1.1.4. *Dynamic FHIR API
5.1.1.5. *InteropX
5.1.1.6. *Mphrx (by Minerva)
5.1.1.7. Smile CDR
5.1.1.7.1. Great documentation and architecture ideas
5.1.1.8. Firely FHIR Server
5.1.1.8.1. Build vs Buy Calculator
5.1.1.9. Microsoft Azure API for FHIR
5.1.1.10. Microsoft Azure Health Data Services
5.1.2. Build-on (FOSS)
5.1.2.1. HAPI-FHIR
5.1.2.2. IBM FHIR Server
5.1.2.3. Microsoft FHIR Server for Azure
5.1.2.4. Spark
5.2. IAM Services
5.2.1. Paid
5.2.1.1. Auth0
5.2.1.2. LoginRadius
5.2.1.3. *Microsoft Azure AD
5.2.1.3.1. Azure Active Directory SMART on FHIR proxy?
5.2.1.4. *Okta (API Access Management)
5.2.1.4.1. SMART on FHIR with Okta
5.2.1.5. WSO2 Identity Server
5.2.2. FOSS (build on)
5.2.2.1. *Keycloak
5.2.2.1.1. SMART on FHIR Extensions
5.2.2.1.2. Chat Stream support
5.2.2.2. *IdentityServer4
5.2.2.3. Authlete
5.2.2.4. MitreID
6. Development Approach
7. Software Architecture
7.1. FHIR API Resource Services
7.1.1. Native
7.1.2. Adaptor
7.1.3. Facade
7.2. FHIR Proxy Server (gateway)
7.3. Registration/Provisioning Services (IAM)
7.4. Authentication Services (IAM)
7.5. Authorization Services (IAM)
7.6. Persistence Services
7.7. FHIR Bulk Data Services
7.8. Search Services
8. SMART on FHIR
8.1. Authentication
8.1.1. OpenID (OIDC)
8.1.1.1. Terminology
8.1.1.2. ID Token (JWT)
8.1.1.2.1. JWS (signed)
8.1.1.2.2. JWE (encrypt)
8.2. Authorization (oAuth2.0l)
8.2.1. OAuth 2.0
8.2.1.1. OAuth 2.0 Framework - RFC 6749
8.2.1.1.1. Access Tokens
8.2.1.1.2. Refresh Tokens
8.2.1.1.3. OAuth Scopes
8.2.1.2. Grant Types
8.2.1.2.1. Authorization Code
8.2.1.2.2. PKCE
8.2.1.2.3. Client Credentials
8.2.1.2.4. Device Code
8.2.1.2.5. Refresh Token
8.2.1.2.6. Legacy: Implicit Flow
8.2.1.2.7. Legacy: Password Grant
8.2.1.3. Client Types
8.2.1.3.1. Confidential
8.2.1.3.2. Public
8.2.1.4. Bearer Tokens - RFC 6750
8.2.1.5. Threat Model and Security Considerations - RFC 6819
8.2.1.6. OAuth Security Best Current Practice
8.2.1.6.1. TLS (required)