We need to choose application component for - Authentication (AuthnN): verify the user is who they say they are - Authorization (AuthZ): verify the user is allowed to perform a certain action - Consent and Audit: optional logging for audit trail relevant when e.g. writing data HAPI FHIR has Interceptors to interact with Auth Server of choice: https://hapifhir.io/hapi-fhir/docs/security/introduction.html