I am building software that uses OAuth2 to access health data from volunteers. I have the software working for a single test server, and am able to successfully obtain an OAuth access token and query the server.
In production, there will be many servers where an OAuth2 authorization code could come from. How can I infer or identify which OAuth2 endpoint an authorization code came from?
I have been relying on documentation from Epic, but have not found a reliable way to tell which instance of the Epic health record software I would receive the authorization code from.
I suppose I could use the state parameter to store the token endpoint when getting the authorization code, then the OAuth2 response would include that state information. I am not sure if this is secure, though.
I discovered that it indeed incumbent upon the software developer to store information about which OAuth2 endpoint is being contacted. I was unaware until now, but the SMART on FHIR JavaScript client does exactly this using browser storage (which is not discussed at length in its documentation).
So, I solved it by having my application store which server is being contacted for a particular user and then redirect them to that FHIR endpoint.