FHIR Chat · 'patient' scope without any 'launch' scope · smart

Stream: smart

Topic: 'patient' scope without any 'launch' scope

Robert Smayda (Nov 27 2020 at 20:22):

I have been wondering if there is a valid use-case for any of these scope combinations:

1. scope only have patient (ie: scope = 'patient/Patient.read')

   • Problem I see here is no context to evaluate this access_token with

2. scope only have launch (ie: scope = 'launch' or scope = 'launch/patient')

   • Problem I see here is no permissions to do an actual operations

3. user scopes with a launch scope (ie: scope = 'launch/patient user/Patient.read'

   • Problem I see here is the user scope does not rely on context nor would it restrict access to just the patient in context

Isaac Vetter (Nov 30 2020 at 18:23):

Hey Robert, at least for 2 and 3, I've seen:

2. Sometimes launching an app and communicating the user's identity is itself valuable, even without any other APIs in use.
3. But many health it apps are designed to operate on a single patient's record at a time; therefore, the app needs to build a "patient picker" -- a UI to allow the user to select which patient is in context. In theory, the launch scope pushes this UI element / functionality onto the authorization server from the app.

Jenni Syed (Nov 30 2020 at 19:08):

I will add to Isaac's use cases - we have several apps that just use the openid/fhirUser and no actual FHIR resources (the info in the id token is enough for their app to do what is needed), or that use that + user/Provider.read (to get more detailed info about the user)

Last updated: Apr 12 2022 at 19:14 UTC