Stream: implementers
Topic: SMART scopes for contained resources
Ken Sinn (Oct 03 2018 at 14:05):
The SMART on FHIR documentation scopes is clear when defining scopes for standalone resources, where references are separately retrieved. Do the OAuth2 scopes have to account for contained resources? For example, if a MedicationDispense is retrieved with contained resources, does the scope also have to include those resources? Also, does a scope limited to "Observation.read" prevent a user from using Observation?_include=Observation:patient ?
Christiaan Knaap (Oct 03 2018 at 15:11):
_include=Observation:patient requires the user to also have the scope Patient.read.
Not sure on the theory on Contained resources. I think Vonk will apply the same rules (need a scope for the type of resource that is contained).
Ken Sinn (Oct 12 2018 at 13:54):
I cross-posted the question to the SMART on FHIR Google Groups, and it sounds like things still need discussion. Requiring explicit scope permissions for contained resources would be more cumbersome for implementers, having to know and enumerate all contained resources ahead of time.
https://groups.google.com/forum/#!topic/smart-on-fhir/rheeDUiOVRs
Last updated: Apr 12 2022 at 19:14 UTC
