Security for Scalable Registration, Authentication, and Authorization
2.0.0-ballot - STU2 Ballot
Security for Scalable Registration, Authentication, and Authorization
2.0.0-ballot - STU2 Ballot
Security for Scalable Registration, Authentication, and Authorization, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 2.0.0-ballot built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-udap-security-ig/ and changes regularly. See the Directory of published versions
Changes from the previous version are summarized below with links to the corresponding HL7 ticket. The summaries below are non-normative.
| Ticket | Ticket Description |
|---|---|
| FHIR-41520 | Clarify “state” parameter required for authorization code flow |
| FHIR-42958 | Add guidance for use of PKCE |
| FHIR-43003 | Update server metadata requirements for extensions and certifications |
| FHIR-43005 | Clarify server may grant a subset of “scopes_supported” |
| FHIR-43020 | Clarify where client requests scopes in each workflow |
| FHIR-43022 | Clarify use of a client secret is not permitted |
| FHIR-43024 | Add STU Note regarding concurrent use with SMART |
| FHIR-45173 | Add certification example for privacy disclosures |
| FHIR-46113 | Add certification example for exchange purposes |
| FHIR-46448 | Add scope guidance based on TEFCA SOP |
| FHIR-49143 | Representation/formatting of word may be confused as conformance language |
| FHIR-49179 | Remove reference to SMART configuration for scope negotiation |
| FHIR-49633 | Example narrative should be for B2C and authorization code in 3.2.2 |
| FHIR-49142 | Invalid conformance language corrected |
| FHIR-49174 | Clarify token use must be consistent with authorization context |
| FHIR-49177 | Require supported signing algorithms for registration in server metadata |
| Ticket | Ticket Description |
|---|---|
| FHIR-40459 | Clarify client is required to validate signed_metadata as per the UDAP server metadata profile |
| FHIR-40579 | Correct inactive link in Required UDAP Metadata |
| FHIR-40601 | Correct invalid link to HL7 SMART App Launch IG history |
| FHIR-40791 | Clarify “aud” value in authentication JWTs |
| FHIR-41517 | Clarify algorithm used by servers to sign UDAP metadata |
| FHIR-43002 | Clarify that support for B2B extension is required for servers that support client credentials grants |
| FHIR-43007 | Clarify conformance strength of algorithms by listing as a table |
| FHIR-43008 | Clarify “jti” reuse is permitted after expiration of any previous JWTs using same value |
| FHIR-43014 | Correct status code to be returned by server when community is not recognized or not supported |
| FHIR-43021 | Add missing hyperlinks for certain UDAP profiles |
| FHIR-43048 | Clarify servers must respond to GET requests for metadata |
| FHIR-43116 | Clarify that registration updates are requested within the context of the client’s trust community |
| FHIR-43121 | Remove duplicated requirements for “iss” parameter in software statement |
| FHIR-43554 | Clarify allowed registration claims returned by server may be different than claims submitted in software statement |
IG © 2021+ HL7 International / Security and UDAP.org. Package hl7.fhir.us.udap-security#2.0.0-ballot based on FHIR 4.0.1. Generated 2025-03-18
Links: Table of Contents |
QA Report
| Version History |
|
Propose a change