--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Josh
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "SMART on FHIR" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/smart-on-fhir/4Q-jal2uIMA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to smart-on-fhi...@googlegroups.com.
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
In HEART we mandate both JWT-formatted tokens (with some basic claims and signatures) as well as availability of the token introspection endpoint. We made that choice in HEART to offer flexibility from the RS standpoint. You can parse the token, figure out where it came from, and introspect it to get details as needed. HEART seeks to define compatibility between AS and RS, which as Grahame pointed out, SMART doesn’t — and that’s fine, it’s a difference in scopes between the projects.
— Justin
On Dec 29, 2017, at 12:23 PM, Kevin Mayfield <mayfiel...@gmail.com> wrote:
It was a question. I’m new(ish) to OAuth2 and using terms from one of the authors book (OAuth2 in Action - Justin Richer).From your description I presumed you were talking about client behaviour and I was talking about standard extensions for a (FHIR/OAuth2) resource server to use. When I implemented an OAuth2 previously I followed recommendations to implement a SQL link back to the OAuth2 server to check the access token however a more general approach would be to use a introspection endpoint (https://tools.ietf.org/html/rfc7662). It seems HEART (on FHIR) has gone down this route (http://openid.net/specs/openid-heart-oauth2-1_0-2017-05-31.html#rfc.section.3.2.2)
Sorry if I’m going off on a tangent. I’m trying to understand why SMART does this and why HEART does that
On 29 Dec 2017, at 14:42, Michele Mottini <mi...@careevolution.com> wrote:
Not sure if you are asking me....what I described is the standard open id connect protocol, with the only twist of the profile claim being a FHIR resource URL (that is a SMART-specific variation). It might be possible to do things in a different way, but for security protocols I'd rather stick to the standards as much as possible...- MicheleCareEvolution Inc--
You received this message because you are subscribed to a topic in the Google Groups "SMART on FHIR" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/smart-on-fhir/4Q-jal2uIMA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.
the problem is that from the client's point of view, the aud parameter is used differently between smart and heart, and therefore they are not compatible. I think this is regrettable, but we weren't able to address this when we talked about itGrahame
On Tue, Jan 2, 2018 at 9:26 AM, Justin Richer <jri...@mit.edu> wrote:
In HEART we mandate both JWT-formatted tokens (with some basic claims and signatures) as well as availability of the token introspection endpoint. We made that choice in HEART to offer flexibility from the RS standpoint. You can parse the token, figure out where it came from, and introspect it to get details as needed. HEART seeks to define compatibility between AS and RS, which as Grahame pointed out, SMART doesn’t — and that’s fine, it’s a difference in scopes between the projects.
— Justin
On Dec 29, 2017, at 12:23 PM, Kevin Mayfield <mayfiel...@gmail.com> wrote:
It was a question. I’m new(ish) to OAuth2 and using terms from one of the authors book (OAuth2 in Action - Justin Richer).From your description I presumed you were talking about client behaviour and I was talking about standard extensions for a (FHIR/OAuth2) resource server to use. When I implemented an OAuth2 previously I followed recommendations to implement a SQL link back to the OAuth2 server to check the access token however a more general approach would be to use a introspection endpoint (https://tools.ietf.org/html/rfc7662). It seems HEART (on FHIR) has gone down this route (http://openid.net/specs/openid-heart-oauth2-1_0-2017-05-31.html#rfc.section.3.2.2)
Sorry if I’m going off on a tangent. I’m trying to understand why SMART does this and why HEART does that
On 29 Dec 2017, at 14:42, Michele Mottini <mi...@careevolution.com> wrote:
Not sure if you are asking me....what I described is the standard open id connect protocol, with the only twist of the profile claim being a FHIR resource URL (that is a SMART-specific variation). It might be possible to do things in a different way, but for security protocols I'd rather stick to the standards as much as possible...- MicheleCareEvolution Inc--
You received this message because you are subscribed to a topic in the Google Groups "SMART on FHIR" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/smart-on-fhir/4Q-jal2uIMA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to smart-on-fhi...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi AdrianI’m not familiar with the details of the blue button api security - but I think I heard they are not using smart on fhir? Also, of course, they have different content to an EHR
On the subject of epic vs cerner, we have not settled the question of an end-point registry. There’s work around an end-pointregistry api, but that’s the same as an actual end point directory. There’s some discussions happening, but not a lot of action at this point. Some of the discussions involve the FHIR foundation hosting the directory - which seems possible, but it’s not the same as making it work - the impetus has to come from somewhere though
This is hardly the only technical difference between the profiles, and regardless, this difference would not prohibit SMART from mandating support for introspection, even with its own profile. The real difference here is that HEART explicitly defines compatibility for the AS<->RS relationship, where as SMART explicitly leaves that undefined.
— Justin
This is hardly the only technical difference between the profiles, and regardless, this difference would not prohibit SMART from mandating support for introspection, even with its own profile. The real difference here is that HEART explicitly defines compatibility for the AS<->RS relationship, where as SMART explicitly leaves that undefined.
— Justin