UDAP Software Statement Constraints - HRex #120

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Persuasive with Modification
    • Priority: Medium
    • US Da Vinci HRex (FHIR)
    • STU3
    • Financial Mgmt
    • Profile overview [deprecated]
    • Hide

      We will add an explicit question to balloters in this section asking for what constraints they feel are necessary to ensure good interoperability in this space.  We will also ensure that at least one of the Sept. Connectathon Da Vinci tracks includes use of UDAP for cross-organization registration of SMART apps in its scope.  We will take the feedback from both of these sources and use that to define HRex-specific guidance on the use of UDAP.  We will lean towards aligning with bulk data's use of UDAP wherever it makes sense to do so.

      Show
      We will add an explicit question to balloters in this section asking for what constraints they feel are necessary to ensure good interoperability in this space.  We will also ensure that at least one of the Sept. Connectathon Da Vinci tracks includes use of UDAP for cross-organization registration of SMART apps in its scope.  We will take the feedback from both of these sources and use that to define HRex-specific guidance on the use of UDAP.  We will lean towards aligning with bulk data's use of UDAP wherever it makes sense to do so.
    • Bob Dieterle / Russ Leftwich: 8-0-0
    • Clarification
    • Non-substantive

      Comment:

      This would be a good opportunity to state any constraints on the values in the software statement or additional required claims. Since Da Vinci is using the patient facing standalone SMART launch, that implies that grant_types must include authorization_code (it could include refresh_token, and, if you want to prepare for Bulk FHIR, you'd need to allow client_credentials when that piece comes into scope). We'll also probably want to require "scope" to be populated. And the UDAP spec does not state any preferences as to how the private key used to sign the JWT used to authenticate with the token endpoint should be communicated. This should probably be the jwks_uri preferred to the jwks to match Bulk FHIR's guidance (even though Bulk FHIR isn't in scope, UDAP forces all clients to be confidential and to use JWT authentication, so we'll have to use jwks_uri and/or jwks regardless of whether Bulk FHIR is in scope or not).

      Summary:

      UDAP Software Statement Constraints

            Assignee:
            Unassigned
            Reporter:
            Michael Clifton
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: