search

blue-button / blue-button-plus-pull

Spec for BlueButton+ Pull
http://blue-button.github.io/blue-button-plus-pull/
20 stars 11 forks source link

HTML cleanup and scope discussion #18

Closed jricher closed 11 years ago

jmandel commented 11 years ago

Thanks Justin! Two quick questions:

Only one patient record per token?

Access to multiple different patient records is represented by multiple scopes, such as single-patient:12413 single-patient:143132.

Based on our conversations with Keith, I thought we wanted to explicitly limit a given token's scope to one single patient. But I may have misunderstood or over-assumed. (If we do allow >1 single-patient scope on a single token, then we'd need parameterized endpoint URLs like /patients/:patientPseudonym/summary -- which adds still more complexity to the discovery process.)

Updated examples?

Can you update the example authorization responses to include a structured scope (rather than just root) for single-patient?

jricher commented 11 years ago

I want to leave in the multiple-case explicitly right now because someone's going to ask, and if you want to add in a discussion note, please do. In my opinion, if you want to handle multiple-patient querying, you should have a parameter or URL part for that anyway (like hData defines).

I think the examples should keep the root since the case of "authorized user" should be the common case. If anything, you could add an additional example that explicitly calls out the on-behalf-of-another-user case. Let's keep the core examples simple without precluding the advanced use cases.

jricher commented 11 years ago

Specifically, we don't want people to bake access to multiple patient records into a single scope, or defining some kind of "single-patient:*" scope at their service. Whether or not you can tie a single token to multiple of these scopes is another question.

jmandel commented 11 years ago

So in your example:

{
  "access_token": "i8hweunweunweofiwweoijewiwe",
  "token_type": "bearer",
  "expires_in": "3600",
  "scope": "single-patient http://siframework.org/ABBI/endpoint/summary"
}

single-patient actually means single-patient:me?

jmandel commented 11 years ago

In my opinion, if you want to handle multiple-patient querying, you should have a parameter or URL part for that anyway (like hData defines).

Yes, but do we want to handle this? (I thought not.) But I'm happy either way as long as we're explicit about how it works.

jricher commented 11 years ago

Correct, single-patient means single-patient:me due to the following text:

When used in steps 5-7 without a paramter value as 'single-patient', this scope stands in for the record representing the end-user who authorized the token.
jricher commented 11 years ago

If you want, remove or demarcate the text about multiple patient scopes as a discussion item in the text.

jmandel commented 11 years ago

Added language to describe the "1 patient record per token" restriction.