[Openid-specs-heart] Draft HEART meeting notes 2015-07-13

Debbie Bucci debbucci at gmail.com
Thu Jul 16 22:49:58 UTC 2015 

Thanks so much for this Josh.   Justin will be in Prague next week so I
would like to postpone the broader scope/approach discussion until he
returns and Eve is available as well.  I have no answers - just questions
and lots of them!

Instead I would like to use that time as an opportunity to pull the focus
back to the PHR *as source of truth* and do as we originally intended -
focus on the use case.

Gajun Sunthara has been building an open source  FHIR based PHR from
scratch as a way to understand the underlying standards and protocols.
It's been amazing to see the concepts develop over time as he's socialized
his efforts.

 He has implemented OpenID Connect and has connected to a number FHIR
resources and created a local store of his own.   Additionally he has a
running list of endpoints that seem to align with what I think a personal
UMA authorization may look like (at least to a consumer).   So many ways to
extend those concepts.

The authorization service - or source of truth will need to be flexible and
meet the consumers need across a number of different RS clients and APIs
and standards.  Gaj's UI makes me believe its possible to do.

if there is time after the demo, I'd like to use to focus on JUST the
scopes that a PHR would need to communicate and enable read/write between
PHR and PCP as both client and RS.


Deb




On Thu, Jul 16, 2015 at 11:31 AM, Josh Mandel <
Joshua.Mandel at childrens.harvard.edu> wrote:

> As promised: this is the version of the SMART on FHIR specification that
> includes the most recent changes in response to review from the Argonaut
> participants:
> http://fhir-docs.smarthealthit.org/argonaut-dev/authorization/
>
> Beyond a set of editorial changes, the most relevant updates are:
>
> 1. Addition of "aud" as a parameter on the authorization request. This is
> a security fix that mitigates against a malicious resource server (in the
> absence of a whitelisting protocol by which public client apps decide which
> resource servers to trust).
>
> 2. Moved "launch:" out of the scopes list and into a separate parameter of
> the authorization request (this cleans up the semantics of our scopes list
> a bit, and sounds similar to what we were calling an "audience" on today's
> phone call).
>
> 3. Added a scope called  "online_access" (by analogy to the OIDC
> "offline_access" scope). This scope is used to request a refresh token that
> lasts until a user signs out of the EHR.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150716/c3c63604/attachment-0001.html>

More information about the Openid-specs-heart mailing list