IHE / IT-Infrastructure

Online repository for information assets supporting the profiles (implementation specifications) in the IHE IT Infrastructure Technical Framework.
Creative Commons Attribution 4.0 International
33 stars 13 forks source link

IUA scope role values should be aligned with SMART #109

Closed lcmaas closed 3 years ago

lcmaas commented 4 years ago

3.71.6.3 IUA: "the role value SHOULD be patient if the current user is a patient, or user for healthcare professionals."

Introducing scope definitions that conflict with SMART will cause confusion and should be avoided. In SMART, patient means the scope is limited to a single patient's record and user means the scope is limited to records accessible by that user. The user type (patient, healthcare professional) does not limit which SMART scope can be requested. The first example is also slightly discordant with SMART as the AS determines the patient context and it might not always be the user (e.g. mother/child).

The reference in this section is also to the HEART profile for FHIR OAuth 2.0 scopes, but the scopes that are listed are actually from SMART.

msmock commented 4 years ago

I took the examples from Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes available from https://openid.net/specs/openid-heart-fhir-oauth2-1_0-2017-05-31.html.

We should discuss this in the next IUA call on Thursday October 1. if possible.

joostreuzel commented 4 years ago

My recommendation would be not to link the IUA specification to FHIR, but stick to the OAuth/RFC series of specifications. Reason being that the IUA specification should also work in combination with other base standards such as Dicom-Web.

As an alternative we could consider the use of IHE transaction ids (and options) as scope names. These indicate in detail which API operations and methods are allowed in a protocol agnostic way. In case the transaction is based on FHIR, the scope list may be expanded with the HEART/Smart scopes relevant for that transaction.

msmock commented 4 years ago

We discussed the questions in the the yesterdays bi-weekly IUA meeting. To keep IUA neutral we decided to remove any reference to scope schemes or values. Thus I'll adapt the section on scope parameter to focus on the usage of the scope and to point to transaction or environment specifications for the values to choose.

JohnMoehrke commented 4 years ago

I am not clear what our conclusion was on the purposeOfUse scope usage currently in the text. Wasn't that considered universally needed?

This discussion did also include providing the additional scope specification for MHD and possibly PDQm, PIXm, and PMIR. We need to come up with that text. I would recommend that text. I need this community, who understand OAuth better than I do, to provide these blocks of text that would be added to the other profiles "when grouped with IUA..."

msmock commented 4 years ago

No. We aggreed upon to not use scope examples in the text. Just to add a general explanation of how the scopes may be used and that they in general will depend on the resource server and profile it supports.

Am 05.10.2020 um 13:39 schrieb John Moehrke notifications@github.com:

 I am not clear what our conclusion was on the purposeOfUse scope usage currently in the text. Wasn't that considered universally needed?

This discussion did also include providing the additional scope specification for MHD and possibly PDQm, PIXm, and PMIR. We need to come up with that text. I would recommend that text. I need this community, who understand OAuth better than I do, to provide these blocks of text that would be added to the other profiles "when grouped with IUA..."

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or unsubscribe.

JohnMoehrke commented 4 years ago

do we agree that MHD should define the scopes to be used when grouped with IUA? If so, what is the text that MHD should include in the MHD profile?

joostreuzel commented 4 years ago

@msmock In the latest changes committed through #112 some of the references to Heart scopes have already been removed. You may want to review that after enjoying your holidays.

JohnMoehrke commented 4 years ago

Is this issue resolved with #112 and others?

JohnMoehrke commented 4 years ago

IUA does not mention scopes at all. so it is not in conflict with SMART. the IUA supplement does include MHD scope definition. This definition today does not use SMART pattern, but is not forbidding SMART scopes too. So move the discussion of SMART scopes to the MHD open issue. There is concern that the SMART scopes are too reliant on the SMART context (which is outside OAuth control). @john to writeup an open issue for public comment