We need to choose application component for
- Authentication (AuthnN): verify the user is who they say they are
- Authorization (AuthZ): verify the user is allowed to perform a certain action
- Consent and Audit: optional logging for audit trail relevant when e.g. writing data
HAPI FHIR has Interceptors to interact with Auth Server of choice:
https://hapifhir.io/hapi-fhir/docs/security/introduction.html