Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-42653

Issues with NDH Security section wording

XMLWordPrintableJSON

    • Icon: Change Request Change Request
    • Resolution: Persuasive
    • Icon: Medium Medium
    • National Directory of Healthcare Providers and Services (NDH) (FHIR)
    • 1.0.0-ballot
    • Patient Administration
    • STU
    • Home
    • 1.13
    • Hide

      Will make the recommended changes

      Show
      Will make the recommended changes
    • Bob Dieterle / Ming Dunajick: 5-0-1
    • Clarification
    • Non-substantive

      • "use" and "utilize" wording for more than one OAuth authorization mechanism doesn't make sense; change to "support" and clarify requirements per actor
        • SMART and UDAP are two different profiles over OAuth 2 for performing authentication and authorization. Either mechanism could be used for a particular exchange workflow, but it makes no sense to use both at the same time (i.e. SHALL use SMART and MAY use UDAP). If NDH wants to allow both to be used, it should make clear which actor has the flexibility of using either and which actor has the responsibility of supporting both, for example:
          • NDH servers SHALL support the SMART Backend Services Authorization Guide...
          • NDH servers SHALL support the HL7 UDAP Guide...
          • NDH clients SHALL support the SMART Backend Services Authorization Guide, the HL7 UDAP Guide, or both
          • NDH clients MAY choose which OAuth profile to use in a particular exchange workflow....
      • SMART (Backend and App Launch) and UDAP collect client info at registration; the wording suggests this is only part of SMART Backend Services.
      • In addition to collecting client identity info at registration, UDAP B2B collects it during the authorization step in the form of claims made in a client authentication token. For example, a client at a large backend service supporting an organization with many suborganizations can request authoriztion passing the specific sub-org and requesting user's role.

            Unassigned Unassigned
            jlamy Joseph M. Lamy
            Joseph M. Lamy
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: