Stream: inferno
Topic: Standalone Patient App - Full versus Limited Patient Access
Abel Enthoven (Aug 26 2020 at 07:46):
Inferno seems to force the use of the same connection settings for the Full Access Patient App and the Limited Access Patient App test procedures. After running the first procedure, the settings for the second procedure cannot be edited. If I use a lenient OAuth client definition (allowing all used resource scopes) the first procedure succeeds, but the second fails. If I use a restricted client definition (allowing only Patient, Condition and Observation) the first procedure fails and the second succeeds. So somehow I would have expected to be able to use a different set of connection settings for each procedure. Is this a valid expectation or am I doing this all wrong?
Abel Enthoven (Aug 31 2020 at 13:20):
(deleted)
Robert Scanlon (Aug 31 2020 at 16:45):
@Abel Enthoven This is intentional. We are testing the ability of the authorization system to give the patient (not the app) the ability to grant/deny access to specific resource types. The idea is that the app is always requesting full resource access, and the patient intervenes (during the authorization process) and limits access to a subset of those resources that were specified at the beginning of the test (which defaults to Patient, Condition and Observation). We know which scopes are granted (vs requested) because it is provided when the code is exchanged for the token.
Abel Enthoven (Sep 01 2020 at 06:59):
Thank you for the explanation @Robert Scanlon . We will build some UI into our test environment to make it happen
Last updated: Apr 12 2022 at 19:14 UTC
