Details
-
Change Request
-
Resolution: Persuasive with Modification
-
Medium
-
US Da Vinci DTR (FHIR)
-
current
-
Clinical Decision Support
-
Retrieval of Payer Resources [deprecated]
-
4.4.1.1
-
-
Bob Dieterle / Jeff Brown : 12-0-2
-
Correction
-
Compatible, substantive
Description
At https://hl7.org/fhir/us/davinci-dtr/specification__behaviors__retrieval_of_payer_resources.html#authentication-of-smart-on-fhir-application-to-payer-api in section 4.4.1.1, it says
- In the case that authentication is required, the following JSON structure SHALL be populated by the payer system.
Two concerns with this:
- It is not clear, WHERE the payer shall populate this JSON.
- If the language is intended to mean, the payer shall include this JSON in the appContext, then passing a FHIR Authorization through appContext IMO is not appropriate from a security perspective, and I would like to request a security review of this. Especially, elsewhere in the spec, we say that the CRD Client can ignore the App URL, and use the appContext to launch some other App.
Also note that DTR needs to contact the Payer and authenticate, even when a CRD interaction did not happen before that. So I would even argue that DTR must need no information from the CRD AppContext to work.
Attachments
Issue Links
- mentioned in
-
Page Loading...