Happy new year everyone-
Just a quick thread to raise awareness for a few topics of conversation at the connectathon next week. These were issues/questions that came to light as Tom and I were finalizing our open source reference implementation.
- Currently in our reference- the authorization server can simultaneously serve as both a CSP and as a data holder authorization server. Does that really make sense? Or would it be best practice to have some separation between a CSP authorization service and a front line data holder authorization service? My general feeling right now is that there should be more separation there- meaning.... for a given authorization service should perform as a CSP OR as a data holder authorization service- not both. Curious what people's thoughts are on this and how others are viewing this.
- When an authorization service gets an inbound registration request- how do we know what type of client is coming in? Is it an end client app that we want to allow patient/user/system scopes for? Or is it an inbound data holder authorization service that we should only allow openid/udap/fhirUser for? Right now I don't really have a way of knowing the difference between them so in theory a data holder authorization service could register and get user/system/patient scopes and I'm not sure how to stop that.
Looking forward to next week!