Wow! I just started looking at the
Github repo for openfga and I think I am going to lose this day to looking at that tech. There is a
dotnet-sdk also. I remember you chatting a bit about it a connect-a-thon. I was heads down and not ready to digest it.
I am also going to head down the UDAP proxy path so I can test multiple FHIR servers.
Yes the fine grained control in this context will be new to me also. I am not sure how the proxy will fair in real world FHIR servers that already have fine grained control or don't.
- HAPI doesn't have an example to experiment with that I know of. We have to build it :(.
- I have build and ran
FHIR Server for Azure locally once. It is a difficult code base to understand. Seems very tied to AzureAD. It would take a lot more time to disect it to the point of understanding where an abstraction point to integrate UDAP is. But the reality in something like Azure the opinion of fine grained authorization is in place? (not an authority on any of this)
- Then there is also the Firely evaluation server. I have not looked at this and how I could host UDAP metadata and fined grain control. They are a dotnet shop and are looking to implment UDAP also. Hoping to collaborate with them.
- Then looking at other things I might proxy, Epic comes to mind. They also defind scopes and have a way to control this. Again the proxy would be subject to the scopes picked for that application connection.
Anyway as we get the UDAP implementations functional (and refactoring for some time) it seems an RI of fine grained access is where the big labor may be.
- Dan have you done anything with B2B Authorization Extension Object?
And then there is Certifications at registration time. We could use a couple sample use cases to evolve how we might respond to certifications. Would a certification be an asertion that would effect scopes and fine grained authorization?
I guess I hijacked the Springboot topic.