I’m wondering whether yourself or others have discussed using “OpenID Connect” (which builds on OAuth2) for this proposal?
OIDC provides a standard profile of OAuth2 for compatibility & interop, that includes identity (IdM) and authentication (authN). Whereas OAuth2 by itself is really a framework for constructing authorisation protocols only. OAuth2 leaves many important implementation choices open, which can often be too open.
The authZ features that OAuth2 by itself offers ‘out of the box’ are very limited. OpenID Connect, however allows not only strong, trust-able assertions (e.g. user ‘x’ was authenticated at location ‘y’, has role ‘z’, has had her ID card vetted, has a verified email address & logged on with 2FA authentication), but also supports addition of more advanced authorisation protocols like User Managed Access (which can address patient/delegated consent & institutional/provider data sharing scenarios among others).
One of the primary advantages of OIDC, is that it would allow integration of external SSO providers too, either institutional (like an MS AD server or workstation login), national (see NSTIC), or even cloud providers for patients if they consent. OIDC is also well supported on mobile devices & native apps (stored tokens, etc.)
If you haven’t already, I’d recommend taking a look at using a good existing open source OIDC implementation, such as MitreID Connect. It’s well featured and built on top of Spring Security (so still nice and pluggable). It will also support UMA in future (it’s in development).
Because security protocols are so unforgiving, for something as sensitive as patient data, I think it would be better to use a proven solution (from a team with strong existing expertise). It would be good to take a look whether it’s suitable. Something existing that works and can be integrated/adapted for use would allow efforts to be focused on even better features.
Note, there’s a group working to standardise how OAuth2, OpenID Connect, UMA, FHIR, etc. can be used in healthcare in interoperable ways too: http://openid.net/wg/heart/charter/. Josh Mandel is a member and already working with OpenMRS (e.g. on FHIR integration of SMART apps etc) so may be able to advise further.