[Openid-specs-heart] Public FHIR Endpoints - are there any OAUTH endpoints to register and test

Aaron Seib aaron.seib at nate-trust.org
Tue Jul 21 12:51:09 UTC 2015

I am in the same boat as Justin – Dragon and I had a sidebar about this a week or so back and came to the same conclusion.  


The Use case should determine what is employed.  I am a visual guy – if we had a set of concentric circles OAUTH would be the center, a band of both OAUTH and UMA would surround that and then UMA would be the outer band.


Probably not helpful without some arrows that label the use case supported by each band but that is the way I have pictured it.  I am not sure that visualization stands up as I don’t know that you ever have a use case with UMA in isolation of OAUTH.  Can someone correct me?


It might help to spell out a specific use case in the legacy language of disclosure based on push:


1.      EMR1 sends protected health data to PHRA; 

2.      Consumer using PHRA sends content from (1) to EMR2

3.      EMR2 receives content and its workflow can differentiate between PGHD and data that is unchanged since it left EMR1.


Could anyone on this thread convert this transaction into the OAUTH\UMA domain so that a layman would understand?



Aaron Seib, CEO


 (o) 301-540-2311

(m) 301-326-6843


From: Openid-specs-heart [mailto:openid-specs-heart-bounces at lists.openid.net] On Behalf Of Justin Richer
Sent: Tuesday, July 21, 2015 3:54 AM
To: Adrian Gropper
Cc: openid-specs-heart at lists.openid.net
Subject: Re: [Openid-specs-heart] Public FHIR Endpoints - are there any OAUTH endpoints to register and test


That’s not true: We’re doing UMA where UMA makes sense. We’re doing OAuth where OAuth makes sense. We’re doing both in parallel when both in parallel make sense.


At least, that’s what I got from the discussion of the previous thread of options, though I’m potentially biased because this is the direction that I thought we should go.


 — Justin


On Jul 21, 2015, at 12:52 AM, Adrian Gropper <agropper at healthurl.com> wrote:


I'm confused. Either HEART is doing UMA or we're not. OAuth alone, at least as I understand it does not meet key issues of the HEART Charter.


What am I missing here? Is HEART just going to tag along behind FHIR or are we going to lead?



On Monday, July 20, 2015, Debbie Bucci <debbucci at gmail.com> wrote:

I would also like to propose that we look at the Argonaut backend services because it's closest to our profiles .  Let's pretend a phr is a trusted back end service.

If I am way off base - correct me.

On Jul 20, 2015 5:42 PM, "Debbie Bucci" <debbucci at gmail.com <javascript:_e(%7B%7D,'cvml','debbucci at gmail.com');> > wrote:

Hi everyone


I see this is the current list 




I know for certain some of you are building your own Sandboxes (+1).  Is it possible to get an informal interop going?   May help us with the profile discussions.   






Adrian Gropper MD
Ensure Health Information Privacy. Support Patient Privacy Rights.


Openid-specs-heart mailing list
Openid-specs-heart at lists.openid.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150721/6e251c1f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 3142 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150721/6e251c1f/attachment-0001.jpg>

More information about the Openid-specs-heart mailing list