medplum / medplum / 21882620968 / 1
92%
main: 92%

DEFAULT BRANCH: main
Ran
Files 722
Run time 20s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 92.303% (+0.001%) from 92.302%
21882620968.1

push

github

web-flow 
feat(server): support sub claim fallback in external auth (#8392)

* feat(server): support sub claim fallback in external auth

When no fhirUser claim is present in an external JWT, fall back to using
the standard sub (subject) claim to look up a ProjectMembership by its
externalId field. This enables external IDPs that don't support
SMART-on-FHIR claims to authenticate users directly.

Key changes:
- tryExternalAuthLogin now checks for sub when fhirUser is absent
- Searches ProjectMembership by external-id matching the sub claim
- Returns 401 if multiple memberships share the same externalId
- fhirUser always takes precedence when both claims are present
- Token validation via userinfo endpoint applies to both paths

Closes #8391

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Rahul Agarwal <rahul@medplum.com>

* [autofix.ci] apply automated fixes

* fix(server): use unique nonces in external auth tests to avoid cache hits

Tests using the same sub claim were hitting the Redis cache from prior
tests, causing false positives/negatives. Adding unique nonces ensures
each test JWT produces a distinct cache key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Rahul Agarwal <rahul@medplum.com>

* Address review feedback: test, comment, and docs improvements

- Add test for ext.fhirUser claim (fhirUser inside ext block)
- Add comment explaining count: 2 optimization for duplicate detection
- Clarify variable substitution in curl example in docs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Rahul Agarwal <rahul@medplum.com>

* docs: add self-hosted only admonition to direct external auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Rahul Agarwal <rahul@medplum.com>

* docs: expand externalAuthProviders in server config docs

Add property table, example config, and link to direct external auth
docs page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>... (continued)

17003 of 19277 branches covered (88.2%)

Branch coverage included in aggregate %.

31059 of 32793 relevant lines covered (94.71%)

13831.86 hits per line

Source Files on job 21882620968.1