EHR needs to provide Ocean the following:

iss URL iss: Base URL for FHIR Server

client id FHIR Resource URL (Access Token) 
EHR Authz Server URL

EHR Authz EHR FHIR

EHR App
Launcher Ocean SMART Server Server
APP
GET REQUEST https://ocean.cognisantmd.com/sso/smart/auth?
Set Patient Context &    siteNum=[OceanSiteNum]&
Launch Ocean App 1    iss=https://[Base URL for FHIR Server]&

   launch=[ID for this specific launch]&

   action=[Portal, viewMap, or sendMessage etc.]

 
Validate issuer in
2 allow-list or
throw error 

3 GET REQUEST https://[EHR Authz Server authorize endpoint]?

  client_id=[EHR Launch Server randomly assigned ID]&

  response_type=code&

  aud=https://[EHR FHIR Server URL]&

  launch=[ID for this specific launch]&

  redirect_uri=[Ocean's redirect URL, e.g. https://ocean.cognisantmd.com/smart/auth]&

  scope=launch patient/*.* openid profile &

  state=[128 bit guid]

Authz Server verify request
4
based on client_id & launch

GET RESPONSE [https://Ocean's redirect URL]?

5
  code=[Authorization Code]&

  state=[128 bit guid]

7 POST REQUEST https://[EHR Authz Server]/token

   {
     "redirect_uri" : [https://Ocean's redirect URL]
     "grant_type" : authorization_code
     "client_id" : [EHR Launch Server randomly assigned ID]
     "code" : [Authorization Code]
   }

8 Get Patient context (Patient

ID) from EMR

POST RESPONSE:
9  {
id_token JWT:
  “access_token” : “[Access Token]”,
{   “token_type” : “bearer”,
   "jti":"[JWT ID]",   “expires_in” : “3600”,
   "iat":[Issue At ID],
  “scope” : “patient/Patient.read”,
   "exp":[Expiration Time],
  “patient” : “[Patient ID]”,
   "aud":"[Audience ID]",
   "sub":"[Subject ID]]",
  "id_token": "[User ID token]",

   "iss":"https://[Base URL for FHIR Server]",   "oceanSharedEncryptionKey": [oceanSharedEncryptionKey to decrypt Ocean Patient Data in Bases64]
   "given_name":"GIVEN_NAME", }
   "family_name":"FAMILY_NAME",
   "profile":"[FHIR profile URL]",
   "auth_time":[Auth Time],
   "at_hash":"[Access Token Hash Value]"
}

10 GET REQUEST https://[Base URL for FHIR Server]/.well-known/openid-configuration

GET RESPONSE:
11
 {

   "issuer": "https://[Base URL for FHIR Server]",

   "authorization_endpoint": "https://[EHR Authz Server]/authorize",
   "token_endpoint": "https://[EHR Authz Server]/token",
   "jwks_uri": "https://[EHR Authz Server]/jwks",
   "capabilities": [
       "launch-ehr",
       "client-public"
   ]
}

12 GET REQUEST https://[EHR Authz Server]/jwks to validate identity token 

GET RESPONSE (Sample):

13
14 1) Validate Identity Token with [at_hash] and jwks  {
json response
  "keys": [
  {
2) Link EHR user to Ocean
      "use": "sig",
      "kty": "RSA",
If the user has not yet linked their EHR account to       "kid": "public:c424b67b-fe28-45d7-b015-f79da50b5b21",
Ocean, a sign-in prompt is shown. 

      "alg": "RS256",
      "n": "sttddbg-_yjXzcFpbMJB1fIFam.r9smM",
Once the account is linked (and from then on in
future launches), the single sign-on is automatic.
      "e": "AQAB"
  }
 ]
}

If patient is in context:
15
GET REQUEST https://[EHR FHIR Server URL]/patient/[Patient ID] with [Access Token]

GET RESPONSE (from FHIR Patient.read):

16  {
  "resourceType": "Patient",
  "id": "e26f645b-3eda-42a6-9348-2a058a3b5900",
  "meta": {
   }...
}

GET RESPONSE:

17
1) Patient is encrypted and
saved in Ocean

2) Redirect based on
requested action:

Ocean Patient Portal or

Ocean Health Map

OR