Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-32358

Clarification on Openid and fhirUser scope paired together

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive
    • Icon: Low Low
    • SMART on FHIR (FHIR)
    • current
    • FHIR Infrastructure
    • App Launch: Scopes and Launch Context
    • 2.0.4
    • Hide

      The "openid" scope can be requested without a "fhirUser" scope; but "fhirUser" depends on "openid". To clarify expectations for these scopes, we should do three things:

       

      1. Update the sentence: "Some apps need to authenticate the clinical end-user. This can be accomplished by requesting a pair of OpenID Connect scopes: openid and fhirUser."

      To read: "Some apps need to authenticate the end-user. This can be accomplished by requesting the scope openid . When the openid scope is requested, apps can also request the fhirUser scope to obtain a FHIR resource representation of the current user."

       

      2. Update Quickstart table to replace 

      openid fhirUser (or openid profile)

      With

      openid fhirUser

       

       ---

      3. Finalizing deprecation of "profile" scope in SMARTv2, delete the following sentences:

      • "A client may also request openid profile instead of openid fhirUser, but the profile claim is being deprecated in favor of fhirUser." 
      • "Some EHRs may use the profile claim as an alias for fhirUser, and to preserve compatibility, these EHRs should continue to support this claim during a deprecation phase."
         
      Show
      The "openid" scope can be requested without a "fhirUser" scope; but "fhirUser" depends on "openid". To clarify expectations for these scopes, we should do three things:   1. Update the sentence:  "Some apps need to authenticate the clinical end-user. This can be accomplished by requesting a pair of OpenID Connect scopes:  openid  and  fhirUser ." To read: "Some apps need to authenticate the end-user. This can be accomplished by requesting the scope  openid  . When the openid  scope is requested, apps can also request the  fhirUser  scope to obtain a FHIR resource representation of the current user." —   2. Update Quickstart table to replace  openid  fhirUser  (or  openid  profile ) With openid  fhirUser    --- 3. Finalizing deprecation of "profile" scope in SMARTv2, delete the following sentences: "A client may also request  openid profile  instead of  openid fhirUser , but the  profile  claim is being deprecated in favor of  fhirUser ."  "Some EHRs may use the  profile  claim as an alias for  fhirUser , and to preserve compatibility, these EHRs should continue to support this claim during a deprecation phase."  
    • Gino Canessa/Yunwei Wang: 13-0-0
    • Clarification
    • Compatible, substantive

    Description

      Does openid and fhirUser scope always have to be presented in pair?  Or can we clarify in spec that the Openid and FhirUser can be used independently as below

      • Openid (required; to indicate that the application intends to use OIDC to verify the user's identity)
      • fhirUser (required; to get more information about the user launching the app)

      Attachments

        Activity

          People

            carl-anderson-msft Carl Anderson (Inactive)
            yashaskram Rajarajan Muthukkannan (Inactive)
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: