search

hl7dk / dk-smart

Danish Implementation Guide for SMART App Launch
https://build.fhir.org/ig/hl7dk/dk-smart/branches/master/index.html
Creative Commons Zero v1.0 Universal
0 stars 0 forks source link

Best practices from FAPI #3

Open jkiddo opened 5 months ago

jkiddo commented 5 months ago

Consider which constraints/best practices should be incorporated from e.g. https://oauth.net/fapi/ and see if we can hit common gound.

jkiddo commented 5 months ago

Add to that: https://chat.fhir.org/#narrow/stream/179226-norway/topic/recommended.20use.20of.20SMART.20or.20FAPI

jkiddo commented 2 months ago

@christiangasser-lakeside have you had any time to give this a jab?

jkiddo commented 1 month ago

@christiangasser-lakeside ping?

christiangasser-lakeside commented 1 month ago

We are already discouraging to use of shared keys for client authentication in DK-Smart, but otherwise I wouldn't be cherry-picking from the FAPI specifications. One of the key strength of the FAPI profile is IMHO its formal security proof, which you don't get by only incorporating parts of the spec. However, we could suggest in dk-smart that one might consider using the FAPI 2.0 security profile (which is to be finalized in Q4 2024) together with DK-Smart for deployments with high security requirements.