[Openid-specs-heart] How do you define a resource set?

Eve Maler eve.maler at forgerock.com
Thu Jul 7 18:32:30 UTC 2016

The requesting party token (RPT) does indeed have associated with it one or
more "permissions", which are data structures that look similar to resource
set descriptions. The relevant section is UMA Core Sec 3.4.2, RPT Profile:

So to correct the syntax a bit, it would look like this:

    "active": true,
    "exp": 1256953732,
    "iat": 1256912345,
    "permissions": [
        "resource_set_id": "112210f47de98100",
        "scopes": [
        "exp" : 1256953732

Instead of mentioning the resource set name or any such details, it just
calls out the relevant resource set ID as registered at the AS, and then
explicitly mentions the particular scopes that are granted. (So the
resource set with this ID might be of the "virtual clipboard" kind.)

The RPT would have gotten populated this way based on the original
availability of a registered resource set, as outlined in the previous
couple of messages (a CREATE of the structure with the fields I described),
and a requesting party passing muster, such that their client got this RPT.

Clearly, designing a resource set of a "virtual clipboard" kind would be
coming from an "Alice shares data before/at a first visit" use case. Note
that giving a resource set like this scopes such as "
patient/MedicationDispense*.read" would be a way to enable "positive
filtering" of content. (I still don't readily understand the FHIR OAuth
scope syntax -- need to look up how to parse this! What's the English for
it, again?)

*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*ForgeRock Summits and UnSummits* are coming to
<http://summits.forgerock.com/> *Sydney, London, and Paris!*

On Thu, Jul 7, 2016 at 9:24 AM, Debbie Bucci <debbucci at gmail.com> wrote:

> So ... broad question here ... and admit I do not have a clear
> understanding of the specs yet
> Focused on initial visit/appointment.
> A  (RPT )  token generated for Dr. Bob  - does it include the resource set
> that Bob can see ?  Could the token also include a claim or an actual
> resource to for the consent and/or confidentiality code?  Not clear to me
> how and AS would provide additional policy  to the RS beyond what the RS is
> asking authorization for.
> Guess at what a resource set may look like ...
> {
>   "name" : "Virtual_clipboard",
>   "scopes" : [
>     "patient/MedicationDispense*.read",
>     "patient/AllergyIntolerance*.read",
>     "patient/Immunization*.read",
>     ""patient/Condition.code.read","
>   ],
>   "
> }
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160707/638e97ec/attachment.html>

More information about the Openid-specs-heart mailing list