Stream: implementers
Topic: Smart On FHIR contexts
Dimitar Dimitrov (Nov 27 2019 at 14:58):
Hello everyone.
When we talk about the Smart on FHIR specification I am wondering whether we can use a token scope different than 'patient' or 'user'. For example when we need to authorize the access to the practitioner data we can use a OAuth2 scope - "practitioner/*.read". In this case the scenario should work just as with the patient's scope. What do you think, is this relevant or not?
John Moehrke (Nov 27 2019 at 15:01):
There is interest in further development of SMART.. so these would be good use-cases to bring forward. As it is, what you are proposing is simply not within or forbidden
Yunwei Wang (Nov 27 2019 at 15:23):
Bulk data IG defined 'system/read|write' scope.
Grahame Grieve (Nov 27 2019 at 15:48):
this should probably be on #smart but for me, you'd have to justify why practitioner/* is different to user/* when this is how everyone pretty much uses it - user is a practitioner
John Moehrke (Nov 27 2019 at 16:04):
I was thinking that user/ should work... but also want to see discussion
Tom de Jong (Dec 08 2020 at 06:43):
When implementing OAuth according to Smart on FHIR guidelines, is it customary (or even mandatory) to follow RFC 6750 for HTTP responses?
Josh Mandel (Dec 08 2020 at 23:14):
SMART does use bearer tokens -- but not all of RFC 6750 is relevant (e.g., we never put access tokens in a query parameter, and we don't mandate WWW-Authenticate headers. Are there specific details from RFC 6750 you're wondering about? (#smart is the best place for this kind of discussion.)
Last updated: Apr 12 2022 at 19:14 UTC
