[Openid-specs-heart] HEART Profiles - Dynamic AS and C Registration Clarification

Adrian Gropper agropper at healthurl.com
Thu Dec 3 13:50:47 UTC 2015 

In Section 4. Component Registration
http://openid.bitbucket.org/HEART/openid-heart-uma.html "The authorization
server MUST allow for dynamic client registration
<http://openid.bitbucket.org/HEART/openid-heart-uma.html#RFC7591> [RFC7591]
and dynamic resource set registration
<http://openid.bitbucket.org/HEART/openid-heart-uma.html#UMA.RSR> [UMA.RSR]
."

As discussed on the UMA calls, the HEART profiles require dynamic
registration of everything from the perspective of the Resource Server. We
said: the resource server can issue "black box" warnings to the Resource
Owner but cannot block dynamic registration of the specified Authorization
Server. This MUST is essential to the HEART Delegation Use-Case and the
control of resources under HIPAA patient right of access.

Dynamic registration also applies to Clients. Clients dynamically register
with the Authorization Server and then present their token to the Resource
Server. Any "black box" warnings regarding the particular Client would be
issued by the Authorization Server.

In section 3.2. Dynamic Registration of
http://openid.bitbucket.org/HEART/openid-heart-oauth2.html

"Authorization servers MUST support dynamic client registration, and
clients MAY register using the Dynamic Client Registration Protocol
<http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#RFC7591>
[RFC7591] for authorization code or implicit grant types. Clients MUST NOT
dynamically register for the client credentials grant type. *Authorization
servers MAY limit the scopes available to dynamically registered clients." *(my
emphasis)

Is it clear in http://openid.bitbucket.org/HEART/openid-heart-uma.html that
the RS MUST honor the Client as authorized by the AS even if the RS does
not have the opportunity to put up a warning during Phase 2 of the UMA
sequence?

Can we be clearer in the HEART profiles on what the resource server MUST or
SHOULD do when presented with a token from a Client they have not seen
before?

Adrian

-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20151203/c75931f3/attachment.html>

More information about the Openid-specs-heart mailing list