IBM Security Verify


This portal will be removed

In IBM’s effort to continue to streamline and simplify navigation for our customers, this Ideas portal will be shut down on February 28, 2023. We would ask that you use the main IBM Ideas portal at https://ideas.ibm.com/ or the IBM Security-specific portal at https://ibmsecurity.ideas.ibm.com/ to review, vote for existing ideas, or add new ideas.

Support SMART App Launch

The healthcare standards community has been hard at work on various healthcare interoperability problems and has published a flavor of OAuth 2.0 for use in the industry: http://www.hl7.org/fhir/smart-app-launch

The protocol features extensions to OAuth 2.0 that are difficult to implement with a managed service offering like ISV. Specifically, the two most problematic extensions are the following:

  1. A newly required 'aud' parameter on "authorization" requests from the SMART App Launch clients for passing the intended audience of the target resource server. SMART auth servers must validate that this parameter matches one of the supported resource server endpoints. See http://docs.smarthealthit.org/authorization/best-practices/#25-access-token-phishing-by-counterfeit-resource-servers for more detail on the "why".

  2. A new field on the token response which carries the "patient context" to use. This is sometimes, but not always, the same as the end user. For example, a guardian may have access to multiple patient records and we'd like a way for the end user to select which one to use for their session.

For number 1, we're hoping is that ISV can provide a convenient way for us to write some logic that has access to the original authorization request query parameters and let us fail the auth session if the aud parameter is missing/has an invalid value.

For number 2, we're hoping that ISV can allow us to map a value from the user session / user profile into the token response (and not just the issued access token). However, what would be really cool is if we could somehow expand the customizable consent screens to cover this kind of patient context picker directly in the auth flow.

  • Guest
  • Jul 7 2021
  • Future consideration

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.