Stream: fhircast-github
Topic: fhircast-docs / Issue #27 Callback URL Verification
Github Notifications (FHIRcast) (May 07 2019 at 03:02):
isaacvetter edited a comment on Issue #27
Hey @RazStorm
There still remains the risk that the Subscriber and the System specified in the callback are not one and the same.
Definitely. I think this is very likely to be different machines, but even (to your point) to also be entirely different systems. It's an important use-case.
If we make this the responsibility of the Subscriber
:+1:
(i.e. Callback is assumed to have the exact same access rights / is the Subscriber)
Perhaps more explicitly, callback authorization is the responsibility of the subscriber, not the hub.
I think that this makes sense to call out in the spec. I just created PR #30 adding this text:
Within FHIRcast, the client that creates a subscriptions and the server that hosts the callback url are the same entity. If these roles are split, the Hub assumes that the same authorization and access rights apply to both systems.
this is not a problem. -> I.e. verification can be removed.
This leaves us incompatible with WebSub. Is that a big deal?
Last updated: Apr 12 2022 at 19:14 UTC
