We recently started exploring FHIR and we are using Azure API for FHIR with SMART on FHIR enabled. We would like to restrict access given to a SMART app (SPA) when a SMART app asks for permissions from a FHIR API. In this sample, we have updated the scope in the request to "patient/Practitioner.read" in wwwroot/sampleapp/launch.html file, something like below
{
FHIR.oauth2.authorize({
"client_id": <client-Id>,
"scope": "patient/Practitioner.read",
"redirect_uri": <SMART-App-URI>
})
}
Though the client app requested for specific scope like "patient/Practitioner.read", the app is able to fetch all the other resources from the Azure API for FHIR.This document says, currently only root level scopes are supported. But we like to know if there is a way to achieve resource level scope restriction using Azure API for FHIR.