FHIR Chat · OAuth2 Scope support for profile granularity · implementers

Stream: implementers

Topic: OAuth2 Scope support for profile granularity

view this post on Zulip Ken Sinn (Nov 28 2018 at 16:21):

Hi everyone,

Wondering if there's a way to constrain the scope on an OAuth2 token to a specific profile of a resource.
Consider a server of Observations, which include both blood/lab work as well as mental health assessments - these are distinguished by their conformance profiles.
The patient wants to only issue authorization for an app to access his blood/lab work Observations, but not his mental health assessment Observations.
Profile seems to be an ideal way to distinguish these -- e.g. in a FHIR search, the _profile argument would be used to distinguish between the two.
Is there something similar in scope definitions for SMART on FHIR? (or maybe even the HEART Profile for OAuth2?)

Thanks!
(Cross-posted to SMART on FHIR google group: https://groups.google.com/forum/#!topic/smart-on-fhir/VYTfxbP8U-M)

view this post on Zulip Michele Mottini (Nov 28 2018 at 16:35):

So the clients would have to issue different searches? That does not seem nice

view this post on Zulip Michele Mottini (Nov 28 2018 at 16:48):

..also: are apps the right focus? We do have that feature in our system but it is user-based - i.e. sensitive data like mental health or drug use can be seen only by specific users - regardless of how they access the data (via an app or directly in our internal UI etc)

view this post on Zulip Ken Sinn (Nov 28 2018 at 20:38):

Consider a widget/applet/viewlet whose function is to retrieve and display bloodwork and other lab Observations from a server, as part of another GUI/Portal Page. As a patient, you're authorizing the widget to access the repository on your behalf, to retrieve only the Observations that conform to the bloodwork FHIR profile (so scope=patient/Observation.read), but don't want to give it access to read any more than that, for whatever privacy reasons. No diagnostic imaging reports, no mental health, just be for personal privacy practices.

Is there native support for something like that to be defined in the scope element of an OAuth request/access token? Or something that's been profiled as part of SMART on FHIR or HEART?

view this post on Zulip Grahame Grieve (Nov 29 2018 at 09:01):

for casual readers: from the Smart email list, this is a future todo

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -