Identity&Consent

Authentication, authorisation, and patient consent management for Malaysia ‘ s digital health infrastructure

OAuth 2.0 / OpenID Connect

Industry-standard authentication with SMART on FHIR scopes for granular access control.

User & System Context

Support for both user-facing (practitioner) and system-to-system (M2M) authentication flows.

Consent Registry

Patient consent preferences stored as FHIR Consent resources, enforced at API gateway.

Privacy-Preserving

Audit logs, purpose-of-use restrictions, and break-glass emergency access workflows.

SMART on FHIR Scopes

Granular permissions following the SMART App Launch framework. Scopes follow the pattern:

User Context (Practitioner)

  • user/Patient.read
  • user/Observation.cruds
  • user/MedicationRequest.write

System Context (M2M)

  • system/*.read
  • system/Patient.cruds
  • system/Encounter.read

Consent Management

Consent Types

  • General treatment consent
  • Research data sharing
  • Third-party app access
  • Emergency access override
  • Marketing communications

Enforcement

  • API gateway checks consent before data access
  • Audit log records consent validation
  • Break-glass mechanism for emergencies
  • Patient portal for consent management
Authentication Flow

1

Redirect to Authorisation Server
Application redirects user to
https://auth.dhd.moh.gov.my/authorize

2

User Authenticates

Healthcare professional logs in with MyKad or MyGovID credentials.

3

Consent & Scope Approval

User reviews and approves requested scopes (e.g., “Read patient records”).

4

Token Exchange

Application exchanges authorisation code for access token and refresh token.

5

API Access

Include access token in Authorization header for FHIR API requests.