Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-34353

Change auth mechanism from JWT token to "SMART backend services: Authorization Guide"

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive
    • Icon: Medium Medium
    • CDS Hooks (FHIR)
    • 1.0
    • Clinical Decision Support
    • (NA)
    • Hide

      Not persuasive for a few reasons:

      1. performance
      2. user-level authorization
      3. backward compatibility

       

      1. Smart backend services requires client authentication and uses that as an authorization grant, so there is one step to get an access token and a separate step to use that access token in a request. In CDS, hooks, The client just directly presents an authentication token as part of its API request.
      2. SMART Backend services uses system-level authorization, but CDS Hooks service's should have user-level authorization. An example of why this is important – the user seeing the card could definitely be restricted from seeing some information available over the CDS Client's FHIR server, let's say, VIP patient. Without tying the backend CDS service's authorization to the current user's, or requiring the backend CDS client to re-implement the authorization rules of the CDS Client's authorization server, we're virtually guaranteeing that the backend CDS service will show information to the user that the user isn't supposed to have access to.
      3. We're trying to minimize the number of backward compatibility breaks in this STU2 to only those that are important and necessary. 
      Show
      Not persuasive for a few reasons: performance user-level authorization backward compatibility   Smart backend services requires client authentication and uses that as an authorization grant, so there is one step to get an access token and a separate step to use that access token in a request. In CDS, hooks, The client just directly presents an authentication token as part of its API request. SMART Backend services uses system-level authorization, but CDS Hooks service's should have user-level authorization. An example of why this is important – the user seeing the card could definitely be restricted from seeing some information available over the CDS Client's FHIR server, let's say, VIP patient. Without tying the backend CDS service's authorization to the current user's, or requiring the backend CDS client to re-implement the authorization rules of the CDS Client's authorization server, we're virtually guaranteeing that the backend CDS service will show information to the user that the user isn't supposed to have access to. We're trying to minimize the number of backward compatibility breaks in this STU2 to only those that are important and necessary. 
    • Lloyd McKenzie/Juliet Rubini: 12-0-0

    Description

      Please update CDS hooks specification to point to "SMART backend services: Authorization Guide" https://hl7.org/fhir/uv/bulkdata/authorization/index.html instead of defining its own spec for client authorization?

      Since most of the API servers would already be supporting "SMART backend services: Authorization Guide" for FHIR APIs, having the same mechanism for CDS will help. Otherwise API owners will need to implement and test both these auth mechanisms.

      Attachments

        Activity

          People

            Unassigned Unassigned
            gunjit_chhatwal Gunjit Chhatwal (Inactive)
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: