Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Zulip: https://chat.fhir.org/#narrow/stream/179207-connectathon-mgmt/topic/Cross.20Organization.20Application.20Access

We have experienced some reliability issues with Zulip Thursday morning so please follow up in the track's Zoom chat, Google slide doc "comment" or on the call if you are not receiving a response. 

Clinical Input & Breakout Discussions

...

  • EMR Direct
  • Qvera
  • Health Intersections
  • Cerner
  • Particle Health
  • Anthem
  • One Medical
  • Carequality
  • Health Gorilla
  • Community Care HIE

  • Cigna
  • The Sequoia Project
  • NewWave
  • Cigna
  • Kaiser
  • Add your name here!

Track Orientation

...

Scenario 1: Cross Organizational Trusted Application Authentication (Client Credentials Flow) *Focus of this track for May 2020*

...

Client app obtains FHIR endpoint information from Directory server (directory server registration details to be added here)

  1. Client app obtains client_id registers dynamically with OAuth server using UDAP Dynamic Client Registration
  2. Client app authenticates to OAuth server using UDAP JWT-Based Client Authentication backed by a trusted client certificate and, if submitted authorization metadata meets authorization server's policy constraints, exchanges authorization code for an access token
  3. Client uses access token to request a patient resource

...

OAuth server and client app support UDAP Dynamic Client Registration and UDAP JWT-Based Client AuthenticationClient Authentication (Client Credentials Flow)

Client has a certificate from an issuer that is trusted by the server

...

Scenario 2: Cross Organizational Trusted Application Authentication (Authorization Code Flow)

ActionActions:

  1. Client app registers dynamically with OAuth server using UDAP Dynamic Client Registration
  2. Client app obtains authorization code using standard OAuth 2.0
  3. Client app authenticates to OAuth server using UDAP JWT-Based Client Authentication backed by a trusted client certificate and exchanges authorization code for an access token
  4. Client uses access token to request a patient resource

Preconditons:

Client pre-registers out of band manually beforehand, to obtain certificate for use in UDAP Dynamic Client Registration and UDAP JWT-Based Client Authentication (complimentary test certificates are available at https://www.emrdirect.com/subscribe-developer

OAuth server and client app support UDAP Dynamic Client Registration and UDAP JWT-Based Authentication (Client Credentials Authorization Code Flow)

Client has a certificate from an issuer that is trusted by the server

Client has a client_id provided by the OAuth server

Success Criteria:

Client app can obtain a patient resource from the target server; partial success for obtaining a client_id via UDAP DCR; partial success for obtaining an access token; partial success for an anonymous DCR

...