Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-35342

Clarify expectations about scopes

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Medium Medium
    • International Patient Access (FHIR)
    • 0.1.0
    • Patient Care
    • STU
    • Gaining Access to a Patient Record
    • Hide
      1. Update:
         

      , but note that many servers limit a client to the scopes approved on its registration, and/or ignore the requested scopes at the initiation of the stand-alone launch.

      to read:

      . Servers MAY limit a client’s scopes to those configured at registration time.

       

      2. Add in the proposed sentence:

      Servers SHOULD allow users to select a subset of the requested scopes at the time of approval.

       
      3. but also, explain to the reader that app developers are expected to accommodate, something like:

      (and please use editorial discretion to clean)

      We should also explain to app developers that the app should inspect the returned scopes list and should robustly accommodate it being different from the list of scopes it requested and a subset of those it registered. 

       

       

      Show
      Update:   , but note that many servers limit a client to the scopes approved on its registration, and/or ignore the requested scopes at the initiation of the stand-alone launch. to read: . Servers MAY limit a client’s scopes to those configured at registration time.   2. Add in the proposed sentence: Servers SHOULD allow users to select a subset of the requested scopes at the time of approval.   3. but also, explain to the reader that app developers are expected to accommodate, something like: (and please use editorial discretion to clean) We should also explain to app developers that the app should inspect the returned scopes list and should robustly accommodate it being different from the list of scopes it requested and a subset of those it registered.      
    • Isaac Vetter / Rob Hausam: 7-0-0
    • Clarification
    • Non-substantive

    Description

      Would update:
       
       Comment
       

      , but note that many servers limit a client to the scopes approved on its registration, and/or ignore the requested scopes at the initiation of the stand-alone launch.

      to read:

      . Servers MAY limit a client’s scopes to those configured at registration time.

      I’d also like to see a note that aligns with best practices like letting consumers review and apply limits to the scopes granted (as we have in the US certification context, for good reason). For example. add:

      Servers SHOULD allow users to select a subset of the requested scopes at the time of approval.

      Attachments

        Activity

          People

            ehaas Eric Haas
            jmandel Josh Mandel
            Josh Mandel
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: