Details
-
Change Request
-
Resolution: Persuasive
-
Medium
-
National Directory of Healthcare Providers and Services (NDH) (FHIR)
-
1.0.0-ballot
-
Patient Administration
-
STU
-
Home
-
1.13
-
-
Bob Dieterle / Ming Dunajick: 5-0-1
-
Clarification
-
Non-substantive
Description
- "use" and "utilize" wording for more than one OAuth authorization mechanism doesn't make sense; change to "support" and clarify requirements per actor
- SMART and UDAP are two different profiles over OAuth 2 for performing authentication and authorization. Either mechanism could be used for a particular exchange workflow, but it makes no sense to use both at the same time (i.e. SHALL use SMART and MAY use UDAP). If NDH wants to allow both to be used, it should make clear which actor has the flexibility of using either and which actor has the responsibility of supporting both, for example:
- NDH servers SHALL support the SMART Backend Services Authorization Guide...
- NDH servers SHALL support the HL7 UDAP Guide...
- NDH clients SHALL support the SMART Backend Services Authorization Guide, the HL7 UDAP Guide, or both
- NDH clients MAY choose which OAuth profile to use in a particular exchange workflow....
- SMART and UDAP are two different profiles over OAuth 2 for performing authentication and authorization. Either mechanism could be used for a particular exchange workflow, but it makes no sense to use both at the same time (i.e. SHALL use SMART and MAY use UDAP). If NDH wants to allow both to be used, it should make clear which actor has the flexibility of using either and which actor has the responsibility of supporting both, for example:
- SMART (Backend and App Launch) and UDAP collect client info at registration; the wording suggests this is only part of SMART Backend Services.
- In addition to collecting client identity info at registration, UDAP B2B collects it during the authorization step in the form of claims made in a client authentication token. For example, a client at a large backend service supporting an organization with many suborganizations can request authoriztion passing the specific sub-org and requesting user's role.
Attachments
Issue Links
- is voted on by
-
BALLOT-52314 Negative - Joseph M. Lamy : 2023-Sep-FHIR IG NDH R1 STU
- Balloted
- mentioned in
-
Page Loading...