Stream: implementers
Topic: opinion requested, securing requests to /Resource/{rid}
Neophytos Iacovou (Feb 16 2021 at 23:56):
Hello
In the set of IGs for "Patient Access API" one can GET /Resource/{rid}
even though there is no ?patient= query parameter allowed, are people checking the patientID within the resource data against the patientID in the access token before returning the Resource?
Michele Mottini (Feb 16 2021 at 23:59):
Yes
Josh Mandel (Feb 17 2021 at 00:32):
I think the right way to say it is that any API call is associated with some authorization context, and a server must take this context into account when responding.
Josh Mandel (Feb 17 2021 at 00:33):
You might have cases where you expect to provide access only to resources about a specific patient; but often there is some set of related resources that you are also willing to expose, even though they don't specifically mention that patient (for example, a Location associated with an encounter for a given patient).
Neophytos Iacovou (Feb 17 2021 at 01:48):
thanks for reinforcing my thoughts,
Last updated: Apr 12 2022 at 19:14 UTC
