Stream: smart
Topic: revoke vs manage
Jenni Syed (Apr 10 2020 at 15:14):
In the SMART standard, it calls out both a revoke and an manage endpoint: http://www.hl7.org/fhir/smart-app-launch/conformance/index.html#declaring-support-for-oauth2-endpoints
Jenni Syed (Apr 10 2020 at 15:15):
Neither one says much else beyond what is in that table. What is the intended difference? Is there any guidance on how revoke is supposed to work (manage was something we have implemented previously)
Josh Mandel (Apr 10 2020 at 15:16):
The intention is that management is a URL that users can be sent to to the view and update information about which apps have access to their data.
Josh Mandel (Apr 10 2020 at 15:16):
On the other hand, revocation is an API not an app can call to revoke its own access tokens.
Jenni Syed (Apr 10 2020 at 15:16):
Is the intention that someone would follow the revocation rfc?
Jenni Syed (Apr 10 2020 at 15:17):
https://tools.ietf.org/html/rfc7009 ?
Josh Mandel (Apr 10 2020 at 15:17):
https://tools.ietf.org/html/rfc7009 it is the only standardized approach I know on this.
Jenni Syed (Apr 10 2020 at 15:17):
haha. ok - thanks :)
Josh Mandel (Apr 10 2020 at 15:17):
I haven't spent a lot of time thinking about it because it leaves a lot of decisions in the apps control, and I don't think I have developers are likely to do this for the most part.
Jenni Syed (Apr 10 2020 at 15:18):
We're trying to understand if the ONC just regulated it :)
Isaac Vetter (Apr 10 2020 at 16:45):
I don't think that the ONC regulated anything other than authorize, token and introspect. Jenni, do you disagree? :head_bandage:
John Moehrke (Apr 10 2020 at 16:48):
you need to wave your hands when you say that.... :shrug:
Jenni Syed (Apr 10 2020 at 17:17):
@Isaac Vetter I am trying to confirm in the language, I know they at least require the patient to be able to revoke it. Trying to confirm the "how" guidance. May just be manage.
Jenni Syed (Apr 10 2020 at 17:18):
But while we were researching, we found the revoke vs manage question :)
Isaac Vetter (Apr 10 2020 at 17:50):
just fyi - my interpretation is that the UI to revoke must exist, and while it could make sense to publish, for example, a url to the PHR where this could be accomplished, supporting the SMART revoke extension is not mandated.
Robert Scanlon (Apr 13 2020 at 16:54):
The Test Method Preview gets into more details here, though my understanding is that the test procedure can be updated so you shouldn't use it as a primary source of requirements. See https://www.healthit.gov/topic/certification-ehrs/onc-health-it-certification-program-test-method-2020-preview
Robert Scanlon (Apr 13 2020 at 17:00):
Specifically, authorize and token are checked in the CapabilityStatement, and authorize, token and capabilities are checked in the well-known endpoint. This reflects which fields are required in the SMART App Launch spec.
Jenni Syed (Apr 13 2020 at 22:03):
Funny enough, it didn't look like the manage or revoke were ever advertised in capabilities. Again, unless I'm missing that.
Last updated: Apr 12 2022 at 19:14 UTC
