Page tree
Skip to end of metadata
Go to start of metadata

Short Description

This track tests scalable ecosystem trust models used by FAST, Carequality, CARIN, and others. Focus is on security and privacy, including client app registration, authentication and authorization for cross-organization query, endpoint validation, and simple federated identity through reusable credentials.

Long Description

  • Generate discussion about how to recognize certain classes of users, clients, or servers, reducing friction in ecosystem use of FHIR and working to develop best practices
  • Build on successes of previous work in Montreal at this track, in Atlanta, and at the May and September 2020 virtual connectathons.

Agenda

Wednesday 1/13
1pm Pacific: Kick-Off Meeting Watch Recording

Thursday 1/14
11am Pacific: Da Vinci Patient Access APIs Whova
1pm Pacific: UDAP Workflows: Developer Resources (Educational Session) Whova Slides:

 

2pm-7pm Pacific: Technical Testing; Ask Questions via Zulip

Friday 1/15
8am-11am: Technical Testing; Ask Questions via Zulip
11am-12:30pm Pacific: Track Check-in and Q&A
     Dynamic Client Registration Overview
     Server Metadata Overview
     Tiered OAuth Demo & Swimlane
     Authorization Extension Object Overview
     Trusted Dynamic Client Registration Demo
     JWT-Based Authentication Overview
     Use Cases for Carequality Workflows
     Glide path

Here is a server metadata example:

See  bit.ly/fast-security-cat26 for additional notes and resources

Type

Test Implementation Guides

Submitting Work Group/Project/Accelerator/Affiliate/Implementer Group  

UDAP.org

Proposed Track Lead

Julie Maas, julie@emrdirect.com (and on Zulip)

Related Tracks

2021-01 FHIR at Scale (FAST): Exchange with or without intermediaries

FHIR Version

This track is not FHIR version specific.

Specification(s) this track uses

UDAP Implementation Guide for Registration and Authorization of Business-to-Business Health Apps

UDAP Implementation Guide for Registration and Authorization of Consumer Facing Health Apps

Related Implementation Guides:

Artifacts of focus

bit.ly/fast-security-cat26

^Please insert slides with comments, questions, sample code, etc.

Clinical input requested (if any)

Always welcome!

Patient input requested (if any)

Always welcome!

Expected participants

  • EMR Direct
  • The Sequoia Project
  • Philips
  • CVS Health
  • How Are You
  • Bellese
  • Aetna
  • Healthflow.io
  • onerecord
  • eHealth Exchange
  • Qvera
  • Health Intersections
  • Cerner
  • Particle Health
  • Anthem
  • One Medical
  • Carequality
  • Health Gorilla
  • Community Care HIE

  • Cigna
  • NewWave
  • Kaiser
  • Blue Cross of Idaho
  • Add your name here!

Zulip stream

https://chat.fhir.org/#narrow/stream/179207-connectathon-mgmt/topic/Cross.20Organization.20Application.20Access


Track Orientation Date

Watch Kick-Off Meeting Recording

Track Orientation Details

bit.ly/fast-security-cat26

Track Details

System roles: 

UDAP-enabled client, UDAP-enabled server, UDAP-enabled identity provider

UDAP-enabled clients are capable of trusted dynamic registration and JWT-based authentication and optionally Tiered OAuth and Server Metadata

UDAP-enabled servers are capable of trusted dynamic registration and JWT-based authentication and optionally Tiered OAuth and Server Metadata

UDAP-enabled identity providers are capable of the IdP side of Tiered OAuth, including other client and server components as above


Scenarios

1. Trusted Dynamic Registration & JWT-Based Authentication (Consumer Facing)

This scenario tests the ONC FHIR at Scale Taskforce (FAST) Security solution for user-facing apps

Precondition: Client has user-level credentials for FHIR server and client's UDAP certificate is trusted

Action: Client app registers, authenticates user, and requests FHIR data

Success Criteria:  Client app successfully registers, authenticates user, and obtains FHIR data. Client should validate server metadata per UDAP Server Metadata profile.

Bonus point: Client and server use Tiered OAuth to authenticate user instead of credential exchange in advance

Bonus point: Include and validate signed endpoints

2. Trusted Dynamic Registration & JWT-Based Authentication (B2B)

This scenario tests the ONC FHIR at Scale Taskforce (FAST) Security solution for business-to-business apps

Precondition: Client's UDAP certificate is trusted

Action: Client app registers, authenticates, and requests FHIR data

Success Criteria:  Client app successfully registers, authenticates, and obtains FHIR data. Client should validate server metadata per UDAP Server Metadata profile.

Bonus point: Include the Carequality FHIR IG Authorization Extension Object in your requests (clients) and process these objects (servers) 

Bonus point: Client and server use Tiered OAuth to authenticate user 

Bonus point: Include and validate signed endpoints

3. Authentication using third party Identity Provider (IdP) via OpenID Connect (OIDC)

This scenario tests ONC FAST Identity solution #3

Action:

  • Client app initiates UDAP Tiered OAuth connection to OAuth server's authorization endpoint, identifying user's preferred OIDC IdP
  • OAuth server redirects user to IdP authorization endpoint (server acts as client of IdP)
  • User authenticates and authorizes access to identity information
  • OAuth server exchanges authorization code from IdP for token and id_token, optionally retrieves additional info from IdP's userinfo endpoint
  • OAuth server determines authority of user based on available identity information or pre-registration of the ID
  • Authenticated user authorizes client app to access FHIR resources
  • Client exchanges authorization code from OAuth server for token, and access FHIR resources

Preconditions:

OAuth server (securing FHIR resources) and client app support UDAP Tiered OAuth

Client is registered with OAuth server for authorization_code flow

OAuth server is registered with IdP for authorization_code flow

Success Criteria:

Client app can access FHIR resources

Bonus points:

OAuth server registers dynamically with IdP using UDAP DCR

Client app registers dynamically with OAuth server using UDAP DCR

4. Validation of FHIR endpoint managing organization in multi-tenant environment

This scenario tests additional aspects of the ONC FAST Security solution

Action:

Client app validates trust with server endpoint before proceeding to OAuth sign in page per UDAP Server Metadata profile.

Server validates trust with client app 

Flow continues, using information from previous step (happy path: user authenticates and authorizes client app to access FHIR resources)/TBD

Precondition:

FHIR endpoint certificate advertisement, demonstrating control of key

Success Criteria:

Client app can access FHIR resources (happy path)

Bonus point: Include and validate signed endpoints

5. Patient matching using OpenID Connect account as an attribute

This scenario tests additional aspects of the ONC FAST Security solution and is also related to ONC FAST Identity solution #3

For example, could store as identifier with:
Identifier.type = http://www.udap.org/fhir/CodeSystem/identifier-authenticator | oidc-sub
Identifier.system = Issuer Identifier URI
Identifier.value = Subject Identifier assigned by Issuer

e.g.

{
"resourceType":"Patient",
...
"identifier": [
{
"type": {
"coding": [
{
"system":"http://www.udap.org/fhir/CodeSystem/authentication-identifier",
"code":"oidc-sub",
"display":"OIDC Subject Identifier"
}
]
},
"system":"https://as.healthtogo.me",
"value":"1234567"
},
...
],
...
}

Action:

Search on OpenID subject identifier

e.g. GET [base]/Patient?identifier=https://as.example.com/issuer1|1234567

Precondition:

The data holder confirmed the binding of an OIDC subject identifier to the person named in a Patient (or equivalently to a Practioner, Person, or RelatedPerson) resource using a suitable registration process before adding the identifier.

Success Criteria:

Client app can access FHIR resources for the correct patient linked to the OIDC subject identifier.

Bonus point:

Search using $match operation

TestScript(s):



Security and Privacy Considerations:

This track focuses on security and privacy. OAuth (client credentials, authorization code, and dynamic client registration), OpenID Connect, UDAP profiles, and PKI are all in scope.