Infer OAuth2 token endpoint from authorization code

Question

I am building software that uses OAuth2 to access health data from volunteers. I have the software working for a single test server, and am able to successfully obtain an OAuth access token and query the server.

In production, there will be many servers where an OAuth2 authorization code could come from. How can I infer or identify which OAuth2 endpoint an authorization code came from?

I have been relying on documentation from Epic, but have not found a reliable way to tell which instance of the Epic health record software I would receive the authorization code from.

I suppose I could use the state parameter to store the token endpoint when getting the authorization code, then the OAuth2 response would include that state information. I am not sure if this is secure, though.

Answer 1

Speaking specifically about Epic:

1. Each customer will have a different URL to hit in the authorization flow, so you will know which instance it is based on the URL you use at the beginning of the authorization flow.
2. Even if you are using Epic's API gateway (Tesseract), there will be a distinguishing portion of the URL that identifies the instance.
3. In case the URL isn't sufficient, Epic has the option of returning the access tokens as JWTs, and you can inspect these JWTs for a distinguishing identifier for the instance. Note that not all Epic customers may have enabled this feature.

Speaking more generally, access tokens are usually opaque so the URL will be a better option for deciphering the instance.

Answer 2

I discovered that it indeed incumbent upon the software developer to store information about which OAuth2 endpoint is being contacted. I was unaware until now, but the SMART on FHIR JavaScript client does exactly this using browser storage (which is not discussed at length in its documentation).

So, I solved it by having my application store which server is being contacted for a particular user and then redirect them to that FHIR endpoint.