<div dir="ltr">The requesting party token (RPT) does indeed have associated with it one or more "permissions", which are data structures that look similar to resource set descriptions. The relevant section is <a href="https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0_1.html#uma-bearer-token-profile">UMA Core Sec 3.4.2, RPT Profile: Bearer</a>.<div><br></div><div>So to correct the syntax a bit, it would look like this:</div><div><br></div><div><div><font face="monospace, monospace"> {<br></font></div><div><font face="monospace, monospace"> "active": true,</font></div><div><font face="monospace, monospace"> "exp": 1256953732,</font></div><div><font face="monospace, monospace"> "iat": 1256912345,</font></div><div><font face="monospace, monospace"> "permissions": [</font></div><div><font face="monospace, monospace"> {</font></div><div><font face="monospace, monospace"> "resource_set_id": "112210f47de98100",</font></div><div><font face="monospace, monospace"> "scopes": [</font></div><div><font face="monospace, monospace"> "...",</font></div><div><font face="monospace, monospace"> "...",</font></div><div><font face="monospace, monospace"> "...",</font></div><div><font face="monospace, monospace"> "..."</font></div><div><font face="monospace, monospace"> ],</font></div><div><font face="monospace, monospace"> "exp" : 1256953732</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> ]</font></div><div><font face="monospace, monospace"> }</font></div></div><div><br></div><div>Instead of mentioning the resource set name or any such details, it just calls out the relevant resource set ID as registered at the AS, and then explicitly mentions the particular scopes that are granted. (So the resource set with this ID might be of the "virtual clipboard" kind.)</div><div><br></div><div>The RPT would have gotten populated this way based on the original availability of a registered resource set, as outlined in the previous couple of messages (a CREATE of the structure with the fields I described), and a requesting party passing muster, such that their client got this RPT.</div><div><br></div><div>Clearly, designing a resource set of a "virtual clipboard" kind would be coming from an "Alice shares data before/at a first visit" use case. Note that giving a resource set like this scopes such as "<span style="font-size:12.8px">patient/MedicationDispense*.</span><span style="font-size:12.8px">read</span>" would be a way to enable "positive filtering" of content. (I still don't readily understand the FHIR OAuth scope syntax -- need to look up how to parse this! What's the English for it, again?)</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">
<p><b>Eve Maler<br></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl<br><b>ForgeRock Summits and UnSummits</b> <a href="http://summits.forgerock.com/" target="_blank">are coming to</a> <b>Sydney, London, and Paris!</b></p></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Jul 7, 2016 at 9:24 AM, Debbie Bucci <span dir="ltr"><<a href="mailto:debbucci@gmail.com" target="_blank">debbucci@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><font color="#222222">So ... broad question here ... and admit I do not have a clear understanding of the specs yet</font></div><div><br></div><div>Focused on initial visit/appointment. </div><div><br></div><div>A (RPT ) token generated for Dr. Bob - does it include the resource set that Bob can see ? Could the token also include a claim or an actual resource to for the consent and/or confidentiality code? Not clear to me how and AS would provide additional policy to the RS beyond what the RS is asking authorization for.</div><div><br></div><div>Guess at what a resource set may look like ...</div><div>{<br> "name" : "Virtual_clipboard",<br> <br> "scopes" : [<br> "patient/MedicationDispense*.read",<br> "patient/AllergyIntolerance*.read",<br> "patient/Immunization*.read",<br> ""patient/Condition.code.read","<br> ],<br> "<br>}</div><span class=""><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div><div><br></div></div><span>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></span></blockquote></div><br></div>
</blockquote></span></div><br></div></div>
</blockquote></div><br></div>