Details
-
Change Request
-
Resolution: Persuasive
-
Medium
-
SMART on FHIR (FHIR)
-
2.0.0
-
FHIR Infrastructure
-
STU
-
Best Practices
-
-
Gino Canessa/Yunwei Wang: 13-0-0
-
Clarification
-
Non-substantive
Description
The non-normative page on best practices should include the following
—
App and Server developers should consider trade-offs associated with confidential vs public app architectures:
- Persistent access is important for providing a seamless consumer experience, and Refresh Tokens are the mechanism SMART App Launch defines for enabling persistent access. If an app is ineligible for refresh tokens, the developer is likely to seek other means of achieving this (e.g., saving a user's password and simulating login; or moving to a cloud-based architecture even though there's no use case for managing data off-device).
- Client architectures where data pass through or are stored in a secure backend server (e.g., many confidential clients) can offer more secure {refresh token :: client} binding, but are open to certain attacks that purely-on-device apps are not subject to (e.g., cloud server becomes compromised and tokens/secrets leak). A breach in this context can be widespread, across many users.
- Client architectures where data are managed exclusively on end-user devices (e.g., many public clients including most native apps today, where an app is only registered once with a given EHR) are open to certain attacks that confidential clients can avoid (e.g., a malicious app on your device might steal tokens from a valid app, or might impersonate a valid app). A breach in this context is more likely to be isolated to a given user or device.
--> The choice of app architecture should be based based on context. Apps that already need to manage data in the cloud should consider a confidential client architecture; apps that don't should consider a purely-on-device architecture. But this decision only works if refresh tokens are available in either case; otherwise, app developers will switch architectures just to be able to maintain persistent access, even if the overall secu
Attachments
Issue Links
- is cloned by
-
FHIR-33952 CLONE - Add Background: Trade-offs in App Architecture
- Triaged
- is voted on by
-
BALLOT-17407 Negative - Christopher Schaut : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Withdrawn
-
BALLOT-17408 Negative - Brett Marquard : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Withdrawn
-
BALLOT-17879 Negative - Michael Clifton : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Withdrawn
-
BALLOT-17401 Negative - Jenni Syed : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17423 Negative - Hans Buitendijk : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17734 Negative - Vassil Peytchev : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17789 Negative - Doug Pratt : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17832 Negative - Chris Courville : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17874 Negative - David Sundaram-Stukel : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17891 Negative - Amit Popat : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Closed
-
BALLOT-17395 Negative - Josh Mandel : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU
- Retracted