Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-32324

Add best practices for server developers

    XMLWordPrintableJSON

    Details

    • Type: Change Request
    • Status: Applied (View Workflow)
    • Priority: Medium
    • Resolution: Persuasive
    • Specification:
      SMART on FHIR (FHIR)
    • Raised in Version:
      2.0.0
    • Work Group:
      FHIR Infrastructure
    • Outstanding Negatives:
      STU
    • Related Page(s):
      Best Practices
    • Grouping:
    • Resolution Description:
      Hide

      Add the following to the Best Practices page:

      Best practices for server developers include:

      • Remind users which apps have offline access (keeping in mind that too many reminders lead to alert fatigue)
      • Mitigate threats of compromised refreshed tokens.
      • Expire an app's authorization if a refresh token is used more than once (see OAuth 2.1 section 6.1)
      • Consider offering clients a way to bind refresh tokens to asymmetric secrets managed in hardware
      Show
      Add the following to the Best Practices page: — Best practices for server developers include: Remind users which apps have offline access (keeping in mind that too many reminders lead to alert fatigue) Mitigate threats of compromised refreshed tokens. Expire an app's authorization if a refresh token is used more than once (see OAuth 2.1  section 6.1 ) Consider offering clients a way to bind refresh tokens to asymmetric secrets managed in hardware E.g., per-device dynamic client registration (see ongoing work on  UDAP specifications ) E.g., techniques like the  draft DPOP specification  
    • Resolution Vote:
      Gino Canessa/Yunwei Wang: 13-0-0
    • Change Category:
      Enhancement
    • Change Impact:
      Non-substantive

      Description

      The non-normative best practices page should include the following

      Best practices for server developers include:

      • Remind users which apps have offline access (keeping in mind that too many reminders lead to alert fatigue)
      • Mitigate threats of compromised refreshed tokens.
      • Expire an app's authorization if a refresh token is used more than once (see OAuth 2.1 section 6.1)
      • Consider offering clients a way to bind refresh tokens to asymmetric secrets managed in hardware

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              carl-anderson-msft Carl Anderson
              Reporter:
              jmandel Josh Mandel
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Vote Date: