Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-40510

Discuss mechanism for determining trust community for a given resource server

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Unresolved
    • Icon: Medium Medium

    Description

      Section 2.4 describes how to discover metadata when a given resource server supports multiple trust communities.

      If a client only has a URL to a desired resource, there might be some missing steps before discovery: knowing which trust communities are supported by that resource server, knowing if the server requires the community to be specified or applies a default, and what that default would be, knowing if there is a preferred trust community.

      Consider the following examples where a client only has a URL to a desired resource:

      • Client supports community X, server supports community Y
        • Server doesn't support community parameter, because "I only support one trust community".
        • Client asks for community X, server ignores (or client doesn't specify community), server returns Y metadata
        • Client signs SW statement JWT with X
        • Server validates the SW statement JWT and rejects
          • This is ok, because this client never could have talked to this server, but not ideal, because might be hard to tell this apart from other JWT validation errors
      • Client supports community X, server supports communities X, Y, defaults to Y if not supplied
        • Client doesn't specify community, server returns Y metadata
        • Client signs SW statement JWT with X
        • Server validates the SW statement JWT and rejects
          • This is a problem. Client needs to know they could communicate if they ask for X explicitly
      • Client supports communities X, Y, server supports communities X, Y, prefers Y
        • Client asks for community X, server returns X metadata
        • Client signs SW statement JWT with X
        • Server validates the SW statement JWT and accepts
          • Not sure this is a problem, because not sure if "server community preference" is a thing. Should it be?

      It seems we could address this in a few potential ways:

      • Require clients to use community parameter
      • Require servers to support community parameter even if only one community supported and reject unrecognized (with 404?)
      • Figure a way to express a server's default community, perhaps in a directory
      • Figure a way to express a desired trust community directly in a resource or in a Bundle
        • Maybe differentiate between "must use this" and "prefer you use this"

      Attachments

        Activity

          People

            Unassigned Unassigned
            jlamy Joseph M. Lamy
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated: