Situation
I have implemented login using FHIR APIs in OpenEMR.
The authentication flow uses OAuth2 to obtain an access token, and this token is then used to access FHIR endpoints such as:
/interface/fhir/Patient
/interface/fhir/Observation
I want clarification on whether:
The login/authentication API itself follows the FHIR standard, or
The login API is a custom OpenEMR implementation, and only the data APIs are standard FHIR.
In other words, I would like to confirm:
Which parts of the flow are FHIR standard–compliant
The FHIR standard does not have anything to do with login/authentication as that exists outside the spec.
SMART on FHIR v1.0 (which is what I think you are referring to) is implemented in version 7.0.3 which does handle the Authorization Code Grant Flow for login/authentication. Version 8.0.0 of OpenEMR which is soon to be released complies with the SMART on FHIR version 2.2.0 for the Authorization Code Grant Flow.
The login screen and authorization screen is up to OpenEMR to determine as far as the UX presentation but the actual scopes presented and authorized are all spec compliant.