Sequence diagram authenticating/integration with SFM Datashare API

The EHR system must implement support to request HelseID for access tokens with audiences to SFM and a function to renew tokens in order to support single-sign-on for local login, use of SFM and communication with underlying services.

The SFM requires that all calls are authenticated using a HelseID identity bearer token. The SFM does not handle login, this should be done by SFM client EHR systems before accessing the SFM.

The sequence diagram and accompanying descriptions documents the process of integrating external EHR systems with the SFM.

Sequence diagram showing principles for API access

The SFM Datashare API uses bearer authentication

    Authorization: <type> <credentials>

type is ‘Bearer’ and the credentials is the accessToken retrieved from HelseID.