FHIR Chat · Consent flow with patient picker · smart

Stream: smart

Topic: Consent flow with patient picker

view this post on Zulip Sagar Shah (Mar 10 2021 at 13:28):

Hello everyone, I am looking at general recommendations on consent flow with patient picker

  1. Should we (or are we required to) display consent page on every patient's login along with patient picker (if client has launch/patient scope)?
  2. Should we be deregistering the previously given consents (and tokens) given by the user during login for registering the new consent?
    Any thoughts/suggestions?

view this post on Zulip Josh Mandel (Mar 10 2021 at 14:54):

I think you're talking about a scenario where a given application is sending the user back to the authorization endpoint to reinitiate authorization of that specific app?

view this post on Zulip Josh Mandel (Mar 10 2021 at 14:56):

It's helpful to think about the reasons why a given app might be doing this. One reason is that the app wants offline access but hasn't been granted offline access; another reason is the app wants access to a different patient record in addition to the ones that is already authorized to see; another reason is the app wants access with more scopes, for example to include access to resources that it did not originally ask for in a progressive authorization scenario.

view this post on Zulip Josh Mandel (Mar 10 2021 at 14:56):

It's good to think about how to make your authorization server work well across these cases, and to brainstorm about where that there might be additional reasons why an app is sending a user back to the authorization endpoint.

view this post on Zulip Michele Mottini (Mar 10 2021 at 15:43):

(1) yes - how could you do differently?
(2) no. App can have good reason to ask multiple times (typically they want all dependents)

view this post on Zulip Sagar Shah (Mar 10 2021 at 16:06):

Thanks for feedback. That does help. @Michele Mottini to your point# 1- I was checking more from user experience, if he gave consent to app (maybe partial or maybe all scopes), then on next auth login, do we need to ask for consent again or can we auto approve based on previous request and so on?

view this post on Zulip Michele Mottini (Mar 10 2021 at 16:16):

Like checking if you already issued a token for the same user and the same app? Don't think is worth it - and you'll have to ask in any case if there is a patient picker

view this post on Zulip Sagar Shah (Mar 10 2021 at 17:03):

Yes, @Michele Mottini ! Correct, I think with patient picker it may be required anyways. I was thinking from the other (non-smart apps), which asks for consent first time and then remembers it using authz server and does not ask for consent on subsequent logins (even when on other devices)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -