Loading...

XML

Word

Printable

JSON

Details

Type: Change Request
Resolution: Persuasive with Modification
Priority: Highest

Specification:

SMART on FHIR (FHIR)
Raised in Version:

2.0.0
Work Group:

FHIR Infrastructure
Related Page(s):

App Launch: Scopes and Launch Context
Related Section(s):
2.4
Grouping:
- Discuss
Resolution Description:

Hide

We can clarify that the fhirUser value inside an id_token may be an absolute URL or a relative URL (relative to the FHIR Server base – note that the FHIR Server base is not necessarily the same as the "iss" of the id_token, and note that use of relative URLs requires the authorization server to know/remember the FHIR server that this app launch is using).

—

Update: "the app should treat the fhirUser claim as the URL of a FHIR resource representing the current user."

To say: "the app should treat the fhirUser claim as the URL of a FHIR resource representing the current user. This URL MAY be absolute (e.g., `https://ehr.example.org/Practitioner/123`, or MAY be relative to the FHIR server base URL associated with the current authorization request (e.g., `Practitioner/123`). Note that this FHIR server base URL is the same as the URL represented in the 'aud' parameter passed in to the authorization request)."

Show
We can clarify that the fhirUser value inside an id_token may be an absolute URL or a relative URL (relative to the FHIR Server base – note that the FHIR Server base is not necessarily the same as the "iss" of the id_token, and note that use of relative URLs requires the authorization server to know/remember the FHIR server that this app launch is using). — Update : "the app should treat the fhirUser claim as the URL of a FHIR resource representing the current user." To say : "the app should treat the fhirUser claim as the URL of a FHIR resource representing the current user. This URL MAY be absolute (e.g., ` https://ehr.example.org/Practitioner/123 `, or MAY be relative to the FHIR server base URL associated with the current authorization request (e.g., `Practitioner/123`). Note that this FHIR server base URL is the same as the URL represented in the 'aud' parameter passed in to the authorization request)."
Resolution Vote:
Bas van den Heuvel / Alexander Zautke: 11-0-0
Change Category:
Clarification
Change Impact:
Non-substantive

Description

This token must be validated according to the OIDC specification. To learn more about the user, the app should treat the fhirUser claim as the URL of a FHIR resource representing the current user. This will be a resource of type Patient, Practitioner, RelatedPerson, or Person. Note that Person is only used if the other resource type do not apply to the current user, for example, the "authorized representative" for >1 patients.

Why only a URL and disallow logical references?

Attachments

Issue Links

is voted on by

BALLOT-17353 Affirmative - Bas van den Heuvel : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17692 Affirmative - Ana Kostadinovska : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17754 Affirmative - Ricardo Quintano : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17798 Affirmative - Timon Grob : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17838 Affirmative - Chris Melo : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17897 Affirmative - Javier Espina : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

(1 is voted on by)

Activity

People

Assignee:: Carl Anderson (Inactive)

Reporter:: Bas van den Heuvel

Request in-person:: Bas van den Heuvel

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-05-12 09:49

Updated:: 2021-11-29 01:38

Resolved:: 2021-07-01 06:16

Vote Date:: 2021-07-19