Ballot#155 Joshua Mandel, Boston Children's Hospital | @https://github.com/smart-on-fhir/smart-on-fhir.github.io/issues/147 | From: we encourage EH... #152
Labels
Comments
Closed
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ballot Weight
A-S
Where
:: http://www.hl7.org/fhir/smart-app-launch/
What
Joshua Mandel, Boston Children's Hospital
@smart-on-fhir/smart-on-fhir.github.io#147
From: we encourage EHR implementers to consider the OAuth 2.0 Dynamic Client Registration Protocol for an out-of-the-box solution.
To: Similarly, we encourage EHR implementers to consider the Oauth 2.0 Token Introspection Protocol for a solution to examining the validity and meaning of tokens.
Comment: The SMART spec recommends (but doesn't require) that servers support dynamic registration, and includes a �register� discovery URL in the discovery protocol. Similarly, we should include an �introspect� discovery URL in the discovery protocol and recommend that EHRs support Oauth 2.0 Token Introspection. This enables a broad array of use cases where downstream parties want to understand the validity of a current token. For a major public implementation of this concept, see Google's https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint
Josh's Triage Notes
Theme: "Token Introspection"
Recommend that EHRs support OAuth 2.0 Token Introspection, but do not require it. Similar to our treatment of Dynamic Registration.
Disposition
Include a reference to Token Introspection in the specification, describing it as an optional feature that EHRs may want to consider (similar to how we describe dynamic registration) Include an OAuth discovery URI called "introspection" that a client can use to learn a server's introspection URL, if any.
Vote Details
Pro-Con-Abstain: 7-0-0
Date: 2017-10-26
The text was updated successfully, but these errors were encountered: