FHIR Chat · What to do when _include/$everything conflicts with scopes? · implementers

Stream: implementers

Topic: What to do when _include/$everything conflicts with scopes?

view this post on Zulip Daniel Venton (Jan 05 2022 at 15:47):

Looking for thoughts on what your server does.
If the token authorizes patient/Patient.read and patient/Observation scopes only.... if the user executes /Immunization then get a 401, easy.
What if the user executes /Patient/$everything?_type=Immunization,Observation
Should the server respond:

  1. 401, you asked for 1+ resource types that you aren't authorized to get
  2. A bundle with the Patient and Observation resources (essentially ignoring the Immunization request)
  • Optionally with an OperationOutcome stating Immunizations were excluded due to lack of authorization

view this post on Zulip John Moehrke (Jan 05 2022 at 16:15):

any of those are legitimate policy, but it is a policy choice, not a dictate from FHIR -- see http://hl7.org/fhir/security.html#AccessDenied

view this post on Zulip Michele Mottini (Jan 05 2022 at 16:28):

403 not 401

view this post on Zulip Paul Church (Jan 05 2022 at 16:43):

The Google implementation does #2.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -