Details
-
Change Request
-
Resolution: Not Persuasive
-
Medium
-
US Da Vinci HRex (FHIR)
-
current
-
Clinical Interoperability Council
-
(NA)
-
Authorization with Consent, section 8.6
-
-
Lloyd McKenzie/David Pyke: 10-0-0
Description
Section 8.4 specifies "client_credentials" should be used for Authorization, and section 8.6 requires the use of refresh tokens. However, in the OAuth2 specification describing the response to a client_credentials response:
https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3
A refresh token SHOULD NOT be included.
Presumably since the client doesn't need to ask the member to sign in, they could just as easily initiate another token request directly.
Is it the intention of HRex to supersede the OAuth2 specification?