Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-34349

Refresh Tokens in Client Credentials Conflicts with OAuth2 Standard

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive
    • Icon: Medium Medium
    • US Da Vinci HRex (FHIR)
    • current
    • Clinical Interoperability Council
    • (NA)
    • Authorization with Consent, section 8.6
    • Hide

      Per FHIR-34523, we're removing UDAP as a mechanism for handling consent, so all of the UDAP guidance is being removed.  As a result, there's no longer a conflict.

      Show
      Per FHIR-34523 , we're removing UDAP as a mechanism for handling consent, so all of the UDAP guidance is being removed.  As a result, there's no longer a conflict.
    • Lloyd McKenzie/David Pyke: 10-0-0

    Description

      Section 8.4 specifies "client_credentials" should be used for Authorization, and section 8.6 requires the use of refresh tokens.  However, in the OAuth2 specification describing the response to a client_credentials response:

      https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3

      A refresh token SHOULD NOT be included.

      Presumably since the client doesn't need to ask the member to sign in, they could just as easily initiate another token request directly.

      Is it the intention of HRex to supersede the OAuth2 specification? 

      Attachments

        Activity

          People

            Unassigned Unassigned
            skathol-j2 Spencer Kathol (Inactive)
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: