[Openid-specs-heart] How do you define a resource set?

Justin Richer jricher at mit.edu
Fri Jul 1 20:55:03 UTC 2016 

No, I think you’re reading it correctly. The RS defines what the resources are, and it communicates the the AS the protection mechanisms around that. So it can say “I have these resource sets”, and it can also say “this resource set has these scopes associated with it”. But it’s up to the API definition (FHIR in our case) to decide what actually goes into the sets themselves. It’s up to either the API definition or a security profile (like what we’re doing here in HEART) to define the mapping between scopes and resulting actions/data. But it’s always up to the RS to enforce these. 

The UMA standard also has “resource set type” but those types aren’t defined or really used anywhere to my knowledge. We could, as part of our profile work, define resource set types based around FHIR resources as well as the scopes associated with them.

 — Justin

> On Jul 1, 2016, at 4:17 PM, Debbie Bucci <debbucci at gmail.com> wrote:
> 
> In an effort to move things along, I was going to attempt to define a resource set or two.   Is  https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html <https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html>  the right documents to reference ?    Boy did i have things backasswords!
> 
> 
> This document describes how to post/get/update/delete the overall resource set name, but I am having a bit of difficulty understanding what resources are actually in that set.    Given that is defined on the RS - perhaps the AS would never know nor could it make fine grained decisions on an element within the set.  Instead the AS could consent or deny to share based on AIDs  or Mental diagnosis but it would be up to the RS to understand how to translate how those decisions are made.
> 
> This helps better explain to me how the AS could configure/register/interact with a different RS *on the fly*.  So, based on skimming the reference, our profile will suggest resource set names for subsets of  data that we believe a consumer would want to authorize and potentially additional scopes not included as part of the FHIR/OAUTH Profile.  Even those would be dependent on what the RS is willing or could technically support.
> 
> I'm missing something  ... right?
> 
> Deb
> 
> 
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160701/1acc7387/attachment.html>

More information about the Openid-specs-heart mailing list