The hub is required the hub to be part of all authorization schemes for all applications connected to the hub.

XMLWordPrintableJSON

    • Type: Question
    • Resolution: Considered - Question answered
    • Priority: Highest
    • FHIRCast (FHIR)
    • 0.1 [deprecated]
    • Imaging Integration
    • (NA)
    • Event Notification
    • Hide

      Update spec, change this:

      >The Hub SHALL only return FHIR resources that are authorized to be accessed with the existing OAuth 2.0 access_token.

      to: 

      >The Hub SHALL only return FHIR resources that the subscriber is authorized to receive with the existing OAuth 2.0 access_token's granted fhircast/ scopes. 

      Show
      Update spec, change this: >The Hub SHALL only return FHIR resources that are authorized to be accessed with the existing OAuth 2.0 access_token. to:  >The Hub SHALL only return FHIR resources that the subscriber is authorized to receive with the existing OAuth 2.0 access_token's granted fhircast/ scopes. 

      This requires the hub to be part of all authorization schemes for all applications connected to the hub. I do not think this is achievable unless we mandate that the authentication token shall always include the Smart scopes as well. The core question is whether the hub is a dumb bus or has intelligence… lets discuss this in more detail. Also as some of the scopes in smartOnFhir (patient/…) are linked to the context in which the request was made. How to enforce this without the hub maintaining state?

      Existing Wording:

      The Hub SHALL only return FHIR resources that are authorized to be accessed with the existing OAuth 2.0 access_token.

            Assignee:
            Unassigned
            Reporter:
            Bas van den Heuvel
            Bas van den Heuvel
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: