Stream: smart
Topic: Required Scopes for Client
Jason Vogt (Dec 21 2021 at 21:04):
In the scenario where a Client has access to request 4 scopes (patient/Medication.read, patient/Patient.read, patient/Condition.read, patient/Observation.read) and the patient has the ability, per the ruling, to be able to select which scopes they want to authorize access to, if the client requires access to Medication and Patient in order to function is there any mechanism via the SMART Framework for the client to inform the server that patient/Medication.read, patient/Patient.read must be authorized in order to function. We want to avoid a scenario where the patient doesn't grant access to enough scopes and then the App can not function and makes them authorize again until the minimum needed has been reached. We also do not want to have to individually setup each client at each instance and define required vs optional scopes. Any guidance would be greatly appreciated.
Josh Mandel (Dec 21 2021 at 21:37):
There is no mechanism to say that certain scopes cannot be omitted;. The best approach is to inform the user ahead of time and to gracefully degrade if fewer scopes are granted.
Isaac Vetter (Dec 28 2021 at 19:12):
Hey Jason, in addition to what Josh said, I've experienced this flow on Android, for example. Following insufficient authorization, the app tells the user that it can't operate without additional scopes, and offers the user a link to re-authorize. I think that feels entirely appropriate. The patient is fully informed and has the choice of using the app or not. There's definitely times when further degradation isn't possible and the app simply can't work.
Jason Vogt (Jan 05 2022 at 21:13):
Thanks guys!
Last updated: Apr 12 2022 at 19:14 UTC
