How we compare
Why not Keycloak?โ
Keycloak is a mature, widely-deployed identity platform. However, adapting it for SMART on FHIR requires maintaining custom Service Provider Interface (SPI) extensions that:
- Break on every Keycloak major version upgrade
- Only support SMART App Launch v1.0 โ not the current v2.2
- Do not natively support EHR launch tokens (patient context bound to a session)
- Cannot issue
patient,encounter, andneed_patient_banneras top-level token response fields (a SMART spec requirement most implementations get wrong) - Require Keycloak operational expertise on top of SMART expertise โ two separate knowledge domains to maintain
The AJ FHIR Platform implements SMART natively in Spring Authorization Server 1.3 with zero third-party extensions. The entire SMART flow is plain Spring Boot code โ readable, auditable, and upgradeable without breaking changes.
Why not Smile CDR?โ
Smile CDR is excellent. It is the most complete SMART on FHIR commercial platform available. It is also closed source and costs in the range of $150,000โ$500,000+ per year for enterprise deployments โ beyond the budget of most national health programmes in low and middle income countries.
The AJ FHIR Platform delivers the same core infrastructure โ SMART auth, HAPI FHIR JPA, consent management, audit โ under MIT licence. Commercial support is priced for government scale, not Silicon Valley enterprise contracts.
Why not Medplum?โ
Medplum is a strong option for US healthtech startups. However:
- It is TypeScript/Node.js โ not suitable for JVM environments that most national health platforms run
- It is a monolith โ FHIR server, auth, and UI are one codebase, not independently deployable
- It is designed for the US market โ no alignment with WHO digital health guidelines or South/Southeast Asian national health frameworks
- It does not use HAPI FHIR โ the reference FHIR implementation used by most government health systems
Why not the original smart-on-fhir/auth-server?โ
The original reference implementation by the SMART Health IT team was built in 2014โ2016 on Spring Security OAuth2 (now deprecated). It has not been maintained since 2018, targets SMART App Launch v1.0, has no PKCE, and uses a deprecated dependency stack. It should not be used for new deployments.
Feature comparisonโ
| Feature | AJ FHIR Platform | Keycloak + extensions | Smile CDR | Medplum |
|---|---|---|---|---|
| SMART App Launch v2.2 | โ | โ ๏ธ v1.0 only | โ | โ ๏ธ v1.0 |
| EHR launch tokens | โ Atomic DB | โ ๏ธ External service | โ | โ |
| PKCE S256 enforced | โ | โ | โ | โ |
| fhirUser in id_token | โ | โ ๏ธ Extension needed | โ | โ |
| SMART token extras (patient, encounter) | โ Top-level JSON | โ ๏ธ Manual config | โ | โ |
| IdP federation | โ Native Spring | โ Native | โ | โ |
| Consent Manager (FHIR Consent) | โก v1.1.0 | โ | โ | โ |
| ATNA Audit (IHE) | โก v1.1.0 | โ | โ | โ |
| HAPI FHIR upstream tracking | โ | N/A | โ (is Smile) | โ |
| Java / JVM | โ | โ | โ | โ TypeScript |
| Open source (MIT) | โ | โ Apache | โ Closed | โ Apache |
| Commercial support | โ | โ Red Hat | โ | โ |
| National health alignment | โ 6 countries | โ | US-focused | US-focused |
โ Supported ยท โก In progress ยท โ ๏ธ Partial/workaround ยท โ Not supported