FHIR Chat · Specs drift · smart

Stream: smart

Topic: Specs drift

view this post on Zulip Michele Mottini (Apr 04 2022 at 15:58):

Something I noticed recently working on payers connection: launch/patient is not used / understood - servers returns 'patient' regardless, clients expect to see 'patient' even when not specifying launch/patient

view this post on Zulip Michele Mottini (Apr 04 2022 at 15:59):

offline_access seems to be in a similar situation

view this post on Zulip Michele Mottini (Apr 04 2022 at 16:00):

OAuth end point discovery is not very well know also

view this post on Zulip Josh Mandel (Apr 04 2022 at 16:57):

servers returns 'patient' regardless, clients expect to see 'patient' even when not specifying launch/patient

This is allowed behavior, if the server only/always supports in-patient-context launches.

view this post on Zulip Josh Mandel (Apr 04 2022 at 16:58):

offline_access

Servers need to support requests for long-term access; it's not OK to ignore the request, and I wouldn't imagine servers would want to force apps into getting long-term access tokens. But ultimately what would/should we say in the SMART spec?

view this post on Zulip Josh Mandel (Apr 04 2022 at 16:59):

Michele Mottini: OAuth end point discovery is not very well know also

You mean servers aren't supporting discovery? That should fail any conformance testing.

view this post on Zulip Cooper Thompson (Apr 04 2022 at 17:19):

For offline_access, is the behavior you are seeing that the refresh token is issued based on client registration settings rather than run-time scopes?

view this post on Zulip Cooper Thompson (Apr 04 2022 at 17:22):

And for endpoint discovery, if Michele is saying that clients don't know they can do auto discovery, we see that a lot too - where app developers are manually registering URLs instead of auto-discovering them. However, we actually recommend in this in some cases, as the URL registration can be an important step in establishing trust if the app is relying on the launching server to provide user identity.

view this post on Zulip Michele Mottini (Apr 04 2022 at 18:03):

I saw both server accepting offline_access and then not giving you a refresh token, server rejecting offline_access and then giving you a refresh token

view this post on Zulip Michele Mottini (Apr 04 2022 at 18:03):

clients expect to see 'patient' even when not specifying launch/patient

^ this is not allowed behavior, is it?

view this post on Zulip Michele Mottini (Apr 04 2022 at 18:06):

Yes, clients not knowing they can do auto discovery, but also servers giving you wrong (or no) OAuth URLs, or /metadata requiring authentication, so you cannot even try discovery

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -