Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-25848

The hub is required the hub to be part of all authorization schemes for all applications connected to the hub.

    XMLWordPrintableJSON

    Details

    • Type: Question
    • Status: Resolved - No Change (View Workflow)
    • Priority: Highest
    • Resolution: Considered - Question answered
    • Specification:
      FHIRCast (FHIR)
    • Raised in Version:
      0.1
    • Work Group:
      Imaging Integration
    • Related Page(s):
      (NA)
    • Related Section(s):
      Event Notification
    • Grouping:
    • Resolution Description:
      Hide

      Update spec, change this:

      >The Hub SHALL only return FHIR resources that are authorized to be accessed with the existing OAuth 2.0 access_token.

      to: 

      >The Hub SHALL only return FHIR resources that the subscriber is authorized to receive with the existing OAuth 2.0 access_token's granted fhircast/ scopes. 

      Show
      Update spec, change this: >The Hub SHALL only return FHIR resources that are authorized to be accessed with the existing OAuth 2.0 access_token. to:  >The Hub SHALL only return FHIR resources that the subscriber is authorized to receive with the existing OAuth 2.0 access_token's granted fhircast/ scopes. 

      Description

      This requires the hub to be part of all authorization schemes for all applications connected to the hub. I do not think this is achievable unless we mandate that the authentication token shall always include the Smart scopes as well. The core question is whether the hub is a dumb bus or has intelligence… lets discuss this in more detail. Also as some of the scopes in smartOnFhir (patient/…) are linked to the context in which the request was made. How to enforce this without the hub maintaining state?

      Existing Wording:

      The Hub SHALL only return FHIR resources that are authorized to be accessed with the existing OAuth 2.0 access_token.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              bvdh Bas van den Heuvel
              Request in-person:
              Bas van den Heuvel
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: