<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:16px"><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10214"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10211"><span id="yui_3_16_0_ym19_1_1472753670463_10381"> I would model the scopes as the 'interaction' verb for a given resource.</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10211"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10211"><span id="yui_3_16_0_ym19_1_1472753670463_10926"> And Conditional Verb which is set in the Http Header acts like an Attribute/Claim which the request is passing.</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10211"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10211"><span><br></span></div><div id="yui_3_16_0_ym19_1_1472753670463_11021"><table style="box-sizing: border-box; margin-bottom: 10px; border-collapse: collapse; border-spacing: 0px; max-width: 100%; border: 1px solid black; margin-right: auto; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; line-height: 20px;" id="yui_3_16_0_ym19_1_1472753670463_10825"><tbody style="box-sizing: border-box;" id="yui_3_16_0_ym19_1_1472753670463_10826"><tr style="box-sizing: border-box; font-size: 12px; line-height: 1.4em; font-family: verdana; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10827"><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10828">Interaction</th><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10829">Path</th><th colspan="5" style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10830">Request</th></tr><tr style="box-sizing: border-box; font-size: 12px; line-height: 1.4em; font-family: verdana; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10831"><th colspan="2" style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10832"></th><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10833">Verb</th><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10834">Content-Type</th><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10835">Body</th><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10836">Prefer</th><th style="box-sizing: border-box; text-align: left; border: 1px solid silver; line-height: 1.4em; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10837">Conditional</th></tr><tr style="box-sizing: border-box; font-size: 12px; line-height: 1.4em; font-family: verdana; padding: 3px; vertical-align: top;" id="yui_3_16_0_ym19_1_1472753670463_10838"><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10839"><code style="box-sizing: border-box; counter-increment: listing 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 1em; padding: 2px 4px; color: rgb(0, 92, 0); white-space: nowrap; border-radius: 4px; background-color: rgb(249, 242, 244);" id="yui_3_16_0_ym19_1_1472753670463_10840">read</code></td><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10841"><code style="box-sizing: border-box; counter-increment: listing 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 1em; padding: 2px 4px; color: rgb(0, 92, 0); white-space: nowrap; border-radius: 4px; background-color: rgb(249, 242, 244);" id="yui_3_16_0_ym19_1_1472753670463_10842">/[type]/[id]</code></td><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10843"><code style="box-sizing: border-box; counter-increment: listing 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 1em; padding: 2px 4px; color: rgb(0, 92, 0); white-space: nowrap; border-radius: 4px; background-color: rgb(249, 242, 244);" id="yui_3_16_0_ym19_1_1472753670463_10844">GET</code></td><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10845">N/A</td><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10846">N/A</td><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10847">N/A</td><td style="box-sizing: border-box; line-height: 1.4em; padding: 3px; vertical-align: top; border: 1px solid silver;" id="yui_3_16_0_ym19_1_1472753670463_10848">O: <code style="box-sizing: border-box; counter-increment: listing 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 1em; padding: 2px 4px; color: rgb(0, 92, 0); white-space: nowrap; border-radius: 4px; background-color: rgb(249, 242, 244);" id="yui_3_16_0_ym19_1_1472753670463_10849">ETag</code>,<code style="box-sizing: border-box; counter-increment: listing 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 1em; padding: 2px 4px; color: rgb(0, 92, 0); white-space: nowrap; border-radius: 4px; background-color: rgb(249, 242, 244);" id="yui_3_16_0_ym19_1_1472753670463_10850">If-Modified-Since</code>,<code style="box-sizing: border-box; counter-increment: listing 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 1em; padding: 2px 4px; color: rgb(0, 92, 0); white-space: nowrap; border-radius: 4px; background-color: rgb(249, 242, 244);" id="yui_3_16_0_ym19_1_1472753670463_10851">If-None-Match</code></td></tr></tbody></table><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;"><br></span></font></div><div id="yui_3_16_0_ym19_1_1472753670463_11022"><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif" id="yui_3_16_0_ym19_1_1472753670463_11023"><span style="font-size: 14px; line-height: 20px;" id="yui_3_16_0_ym19_1_1472753670463_11024">Hence, scope will be equal to 'read' which will gives us coarse grain access to request.</span></font></div><div id="yui_3_16_0_ym19_1_1472753670463_11028"><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;"><br></span></font></div><div><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;">If conditional element is present in the Http Request than ABAC(Attribute Based Access Control) will be activated which will take into consideration extra authorization requirement based on claims present in the request.</span></font></div><div id="yui_3_16_0_ym19_1_1472753670463_11136"><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;"><br></span></font></div><div><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;">Hence, a mix and match of coarse grain/fine grained access will be required to access the resource.</span></font></div><div id="yui_3_16_0_ym19_1_1472753670463_11137"><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;"><br></span></font></div><div><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;">Regards</span></font></div><div id="yui_3_16_0_ym19_1_1472753670463_11140"><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif" id="yui_3_16_0_ym19_1_1472753670463_11139"><span style="font-size: 14px; line-height: 20px;" id="yui_3_16_0_ym19_1_1472753670463_11138">Vivek Biswas, CISSP</span></font></div><div><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;">Consuting Member of Security Staff.</span></font></div><div id="yui_3_16_0_ym19_1_1472753670463_11141"><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;">Oracle.</span></font></div><div><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size: 14px; line-height: 20px;"><br></span></font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10211"><span> </span></div><div id="yui_3_16_0_ym19_1_1472753670463_10697"><br></div><div id="yui_3_16_0_ym19_1_1472753670463_10638"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1472753670463_10085"><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1472753670463_10051" style="display: block;"> <div style="font-family: verdana, helvetica, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1472753670463_10050"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1472753670463_10049"> <div dir="ltr" id="yui_3_16_0_ym19_1_1472753670463_10048"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1472753670463_10047"> <hr size="1" id="yui_3_16_0_ym19_1_1472753670463_10046"> <b><span style="font-weight:bold;">From:</span></b> "Gregorowicz, Andrew J." <andrewg@mitre.org><br> <b><span style="font-weight: bold;">To:</span></b> "openid-specs-heart@lists.openid.net" <openid-specs-heart@lists.openid.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, September 1, 2016 9:04 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> [Openid-specs-heart] How should a FHIR Server (RS) handle some interactions with with the HEART OAuth 2.0 scopes<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1472753670463_10111"><br><div id="yiv4694916394">
<style><!--
#yiv4694916394
_filtered #yiv4694916394 {font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv4694916394 {font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
#yiv4694916394
#yiv4694916394 p.yiv4694916394MsoNormal, #yiv4694916394 li.yiv4694916394MsoNormal, #yiv4694916394 div.yiv4694916394MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
#yiv4694916394 a:link, #yiv4694916394 span.yiv4694916394MsoHyperlink
{
color:#0563C1;
text-decoration:underline;}
#yiv4694916394 a:visited, #yiv4694916394 span.yiv4694916394MsoHyperlinkFollowed
{
color:#954F72;
text-decoration:underline;}
#yiv4694916394 span.yiv4694916394EmailStyle17
{
font-family:Calibri;
color:windowtext;}
#yiv4694916394 span.yiv4694916394msoIns
{
text-decoration:underline;
color:teal;}
#yiv4694916394 .yiv4694916394MsoChpDefault
{
font-family:Calibri;}
_filtered #yiv4694916394 {
margin:1.0in 1.0in 1.0in 1.0in;}
#yiv4694916394 div.yiv4694916394WordSection1
{}
--></style>
<div id="yui_3_16_0_ym19_1_1472753670463_10114">
<div class="yiv4694916394WordSection1" id="yui_3_16_0_ym19_1_1472753670463_10113">
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10112"><span style="font-size:11.0pt;">Hello HEART,</span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10115"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10117"><span style="font-size:11.0pt;" id="yui_3_16_0_ym19_1_1472753670463_10116">I work on maintaining a FHIR server (https://github.com/intervention-engine/fhir). As part of my work, I have been implementing code that allow the server to conduct HEART profile compliant OAuth 2.0 authorized
interactions as well as authenticate users using HEART profiled OpenID Connect.</span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10118"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10121"><span style="font-size:11.0pt;" id="yui_3_16_0_ym19_1_1472753670463_10120">Looking through the archives, it appears that there is some discussion on the FHIR OAuth 2.0 scopes. I wanted to share some implementation experience and questions that may help the discussion going forward.</span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10237"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10125"><span style="font-size:11.0pt;" id="yui_3_16_0_ym19_1_1472753670463_10124">How should the scopes interact with FHIR Search, specifically with _include and _revinclude (http://www.hl7.org/implement/standards/fhir/search.html#revinclude)?</span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10126"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10168"><span style="font-size:11.0pt;" id="yui_3_16_0_ym19_1_1472753670463_10167">Right now, we have implemented simplistic logic, where if a request is made to the server for search on a given resource, say Condition, that search will be performed if the application generating the request
has been given the user/Condition.read or user/Condition.* scope. What should happen if the search request attempts to _include Encounters for the Conditions and the requesting application has not been granted the appropriate Encounter scopes? Should the server
reject the request? Should it perform the search but not perform the _include?
</span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10228"><span style="font-size:11.0pt;" id="yui_3_16_0_ym19_1_1472753670463_10227">Either case of rejecting the request increases implementation complexity on the FHIR Server side.</span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10169"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal" id="yui_3_16_0_ym19_1_1472753670463_10128"><span style="font-size:11.0pt;" id="yui_3_16_0_ym19_1_1472753670463_10127">Also, I saw some discussion in the archive on bulk. I think it makes sense to address this. I could imagine a patient wanting to load a consult note into their FHIR Server. It may be represented as a FHIR
Bundle that contains individual Conditions, MedicationOrders, Observations, etc. Right now, it is unclear to me what the FHIR Server should do with the HEART scopes if someone were to initiate a batch transaction.</span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;">Thanks,</span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;">~Andy</span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4694916394MsoNormal"><span style="font-size:11.0pt;">PS – We have developed a set of go language tools for implementing HEART profiled OpenID Connect relying parties as well as HEART profiled OAuth 2.0 resource servers here:
<a rel="nofollow" target="_blank" href="https://github.com/mitre/heart">https://github.com/mitre/heart</a>. Feedback is welcome.</span></div>
</div>
</div>
</div><br>_______________________________________________<br>Openid-specs-heart mailing list<br><a ymailto="mailto:Openid-specs-heart@lists.openid.net" href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br><br><br></div> </div> </div> </div></div></body></html>