Loading...

XML

Word

Printable

JSON

Details

Type: Change Request
Resolution: Persuasive
Priority: Medium

Specification:

SMART on FHIR (FHIR)
Raised in Version:

2.0.0
Work Group:

FHIR Infrastructure
Outstanding Negatives:
STU
Related Page(s):

Best Practices
Grouping:
- block-vote-0
Resolution Description:
Hide

Add the following to the Best Practices page:

—

Best practices for server developers include:

Remind users which apps have offline access (keeping in mind that too many reminders lead to alert fatigue)

Mitigate threats of compromised refreshed tokens.

Expire an app's authorization if a refresh token is used more than once (see OAuth 2.1 section 6.1)

Consider offering clients a way to bind refresh tokens to asymmetric secrets managed in hardware

E.g., per-device dynamic client registration (see ongoing work on UDAP specifications)

E.g., techniques like the draft DPOP specification
Show
Add the following to the Best Practices page: — Best practices for server developers include: Remind users which apps have offline access (keeping in mind that too many reminders lead to alert fatigue) Mitigate threats of compromised refreshed tokens. Expire an app's authorization if a refresh token is used more than once (see OAuth 2.1 section 6.1 ) Consider offering clients a way to bind refresh tokens to asymmetric secrets managed in hardware E.g., per-device dynamic client registration (see ongoing work on UDAP specifications ) E.g., techniques like the draft DPOP specification
Resolution Vote:
Gino Canessa/Yunwei Wang: 13-0-0
Change Category:
Enhancement
Change Impact:
Non-substantive

Description

The non-normative best practices page should include the following

—

Best practices for server developers include:

Remind users which apps have offline access (keeping in mind that too many reminders lead to alert fatigue)
Mitigate threats of compromised refreshed tokens.

Expire an app's authorization if a refresh token is used more than once (see OAuth 2.1 section 6.1)

Consider offering clients a way to bind refresh tokens to asymmetric secrets managed in hardware

E.g., per-device dynamic client registration (see ongoing work on UDAP specifications)

E.g., techniques like the draft DPOP specification

Attachments

Issue Links

is voted on by

BALLOT-17396 Negative - Josh Mandel : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Withdrawn

BALLOT-17406 Negative - Christopher Schaut : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Withdrawn

BALLOT-17409 Negative - Brett Marquard : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Withdrawn

BALLOT-17880 Negative - Michael Clifton : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Withdrawn

BALLOT-17400 Negative - Jenni Syed : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17424 Negative - Hans Buitendijk : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17735 Negative - Vassil Peytchev : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17790 Negative - Doug Pratt : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17833 Negative - Chris Courville : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17875 Negative - David Sundaram-Stukel : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

BALLOT-17892 Negative - Amit Popat : 2021-May-HL7 FHIR IG SMART APP LAUNCH R2 STU

Closed

(6 is voted on by)

Activity

People

Assignee:: Carl Anderson (Inactive)

Reporter:: Josh Mandel

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-05-13 08:36

Updated:: 2021-11-29 01:38

Resolved:: 2021-06-29 07:14

Vote Date:: 2021-07-19