Details
-
Change Request
-
Resolution: Persuasive with Modification
-
Highest
-
US UDAP Security (FHIR)
-
current
-
Security
-
STU
-
UDAP Server CapabilityStatement [deprecated]
-
Artifacts Summary
-
8.1.9
-
-
Luis Maas / David Pyke: 11-0-0
-
Enhancement
-
Compatible, substantive
Description
As far as I can tell, the only normative requirement relating to the Capability Statement is for the UDAP code in rest.security.service. But the example Capability Statement shows values for multiple fields, most notably the rest.security.extension extensions for OAuth server URLs. The example shows a server that adheres to both SMART and UDAP with the same URLs.
Is it the intent to say that UDAP capabilities may be advertised using the soon-to-be deprecated SMART Capability Statement fields? If so, this needs to be made explicit.
Further, when using the alternative mechanism of the .well-known URL, the IG intentionally keeps the UDAP definition separate from the SMART definition. This allows the endpoints to differ or not. Should the same separation be required when advertising UDAP and SMART endpoints in the Capability Statement?
Attachments
Issue Links
- is voted on by
-
BALLOT-21197 Negative - John Moehrke : 2021-Sep-FHIR IG UDAP SEC R1 STU
- Withdrawn
-
BALLOT-21138 Negative - Joseph M. Lamy : 2021-Sep-FHIR IG UDAP SEC R1 STU
- Balloted