FHIR Chat · Scopes for export · bulk data

Stream: bulk data

Topic: Scopes for export

view this post on Zulip Vladimir Ignatov (May 20 2021 at 19:08):

The default scope for bulk data export is system/*.read. However, some servers currently support (or even require) system/*.*. I may be wrong but for me * at the end implies write access and the bulk data clients should operate in read-only mode.

My question is related to testing. I wonder if the following would be a correct way to classify server behavior:

  1. The server requires system/*.* or other scopes like system/Patient.* -> ERROR
  2. The server allows system/*.* or other scopes like system/Patient.*, but also supports system/*.read -> WARNING
  3. The server rejects any scope not ending in .read -> CORRECT

Perhaps another version of the same question - even though Backend Services do allow write and * in system scopes, should we be more explicit in the bulk export use case?

view this post on Zulip Josh Mandel (May 20 2021 at 19:28):

In general, an OAuth request is a negotiation; a client can ask for system/*.* and the server could decide to grant system/*.read. I think from an interop perspective, we should make sure that servers don't prevent requests like system/*.read, and don't prevent requests like system/Patient.read system/Observation.read. But if they want to accept (and even grant) broader permissions that's OK.

view this post on Zulip Vladimir Ignatov (May 20 2021 at 19:51):

OK, makes sense. Then would this be correct:

  1. The server requires system/*.* -> OK if read access is granted
  2. The server allows system/. or other scopes like system/Patient., but also supports system/.read -> OK
  3. The server rejects any scope not ending in .read -> no need to test this (but is acceptable behavior)

view this post on Zulip Josh Mandel (May 21 2021 at 00:07):

The server requires system/. -> OK if read access is granted

No, I think this breaks a client asking for system/Patient.read system/Observation.read or system/*.read. Servers should support these read requests, even if they also support write requests.

view this post on Zulip Josh Mandel (May 21 2021 at 00:07):

I agree with (2) and (3)

view this post on Zulip Vladimir Ignatov (May 21 2021 at 01:04):

Yes, I test for .read separately and I expect that to be supported. What I meant is that if I request system/a.*, it is OK to receive any of system/a.read, system/a.*, system/*.read, system/*.* because that should mean i got the read access that I need.

view this post on Zulip Josh Mandel (May 21 2021 at 01:05):

Perfect

view this post on Zulip Vladimir Ignatov (May 21 2021 at 01:52):

:+1: Thanks

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -