Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-32325

Add best practices for app developers

    XMLWordPrintableJSON

    Details

    • Type: Change Request
    • Status: Applied (View Workflow)
    • Priority: Medium
    • Resolution: Persuasive
    • Specification:
      SMART on FHIR (FHIR)
    • Raised in Version:
      2.0.0
    • Work Group:
      FHIR Infrastructure
    • Outstanding Negatives:
      STU
    • Related Page(s):
      Best Practices
    • Grouping:
    • Resolution Description:
      Hide

      Add the following to the Best Practices Page:


      Best practices for app developers include:

      • Ensure that refresh tokens are never used more than once
      • Take advantage of techniques to bind refresh tokens to asymmetric secrets managed in hardware, when available (see above)
      • If an app only needs to connect to EHR when the user is present, maintain secrets with best-available protection (e.g., biometric unlock)

      Publicly document any code of conduct that an app adheres to (e.g., CARIN Alliance code of conduct)

      Show
      Add the following to the Best Practices Page: — Best practices for app developers include: Ensure that refresh tokens are never used more than once Take advantage of techniques to bind refresh tokens to asymmetric secrets managed in hardware, when available (see above) If an app only needs to connect to EHR when the user is present, maintain secrets with best-available protection (e.g., biometric unlock) Publicly document any code of conduct that an app adheres to (e.g.,  CARIN Alliance code of conduct )
    • Resolution Vote:
      Gino Canessa/Yunwei Wang: 13-0-0
    • Change Category:
      Enhancement
    • Change Impact:
      Non-substantive

      Description

      The non-normative best practices page should include the following

      Best practices for app developers include:

      • Ensure that refresh tokens are never used more than once
      • Take advantage of techniques to bind refresh tokens to asymmetric secrets managed in hardware, when available (see above)
      • If an app only needs to connect to EHR when the user is present, maintain secrets with best-available protection (e.g., biometric unlock)

      Publicly document any code of conduct that an app adheres to (e.g., CARIN Alliance code of conduct)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              carl-anderson-msft Carl Anderson
              Reporter:
              jmandel Josh Mandel
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Vote Date: