Details
-
Change Request
-
Resolution: Not Persuasive
-
Medium
-
US Da Vinci HRex (FHIR)
-
current
-
Clinical Interoperability Council
-
(NA)
-
Authorization with Consent, section 8.5
-
-
Lloyd McKenzie/David Pyke: 10-0-0
Description
Per the UDAP B2B spec, the consent_reference must be resolvable by the receiving party, but does not describe authorization requirements. Is there an expectation that the token-issuing party authenticate with the Consent resource owner in order to retrieve that information, and if so is there guidance on how that should be done?
Per discussion here: https://chat.fhir.org/#narrow/stream/235286-Da-Vinci.20PDex/topic/Resolving.20UDAP.20consent_references, this endpoint could be protected by mTLS.