Existing Wording: A payer may secure endpoints from which the DTR application will retrieve additional artifacts to support execution. If the payer does require authentication, then the Payer IT system SHALL provide the authentication information through the appContext property of the Link object. The appContext property SHALL contain escaped JSON. The structure of this JSON is described in Section 4.4.1.1 - Authentication of SMART on FHIR application to payer API.

New wording:

The DTR App requests an OAuth token using SMART backend services and then uses that second access token to authenticate against the payer FHIR server. 

Comment:

This is technically incorrect. I raised this issue during your first ballot. It appears you fixed some of the IG as a result of that, but not all. The payer providing authentication info in appContext is not secure and should not be done. Please fix this.

Summary:

This is a security risk as described in the last ballot.