Tiered OAuth scope requirements

[Joseph Shook]

Recently I updated my RI to specifically enforce two rules in the Tiered OAuth Flow that I previously was missing.

1. In section 6.1 there is a sentence as follows:
   

The meaning of the extension parameter idp is undefined if udap is absent from the list of requested scopes. The IdP’s base URL is the URL listed in the iss claim of ID tokens issued by the IdP as detailed in Section 2 of the OpenID Connect Core 1.0 specification (OIDC Core).

I now respect this rule in my server.

2. In section 6.2 there is a sentence as follows:
   

The scope query parameter of the authentication request SHALL contain at least the following two values: openid and udap.

I also now require these two scopes during the /authorize? call at my UDAP enabled IdP. 

With this in place the I see calls to my IdP from HealthtoGo data holder are missing the "udap" ​scope.  ​​

Let me know if there are plans to fix before the CMS connect-a-thon. 

Thanks,

Joe

[Joseph Shook]

To be clear, it is only item number 2 that is blocking between HealthtoGo and my IdP.  

I just wanted to point out the I have enforced number 1 and 2.  

[Julie Maas]

Hi Joe,

Thanks for letting us know. An update to the EMR Direct HealthToGo connectathon server is pending and should be live before the connectathon. 

[Joseph Shook]

That sounds great.  

Thanks,

Joe