Security for Scalable Registration, Authentication, and Authorization
3.0.0-ballot - STU 3 Ballot International flag

Security for Scalable Registration, Authentication, and Authorization, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 3.0.0-ballot built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-udap-security-ig/ and changes regularly. See the Directory of published versions

Change Log

Page standards status: Informative

Changes from the previous version are summarized below with links to the corresponding HL7 ticket. The summaries below are non-normative.

Version 3.0.0 - Ballot

Changes necessary to move from US realm to International realm, including updates to title, id, canonical URL, and some metadata. No changes have been made to the content of the IG from the US STU2 (December 2025) publication. The ballot is inviting any comments or feedback from the community. Please review the changes carefully and provide any feedback you may have.

Version 2.0.0

Ticket Ticket Description
FHIR-40510 Update client and server requirements for “community” parameter
FHIR-41520 Clarify “state” parameter required for authorization code flow
FHIR-42958 Add guidance for use of PKCE
FHIR-43003 Update server metadata requirements for extensions and certifications
FHIR-43005 Clarify server may grant a subset of “scopes_supported”
FHIR-43006 Clarify scope requirements for Tiered OAuth
FHIR-43020 Clarify where client requests scopes in each workflow
FHIR-43022 Clarify use of a client secret is not permitted
FHIR-43024 Add STU Note regarding concurrent use with SMART
FHIR-43120 Clarify JWT conformance requirements
FHIR-45173 Add certification example for privacy disclosures
FHIR-45723 Clarify scopes to register for when using Tiered OAuth
FHIR-46113 Add certification example for exchange purposes
FHIR-46448 Add scope guidance based on TEFCA SOP
FHIR-48921 Clarify that Registered Claim Names should be omitted from registration response
FHIR-48986 Add text and STU note about logical server groups
FHIR-49141 Move conformance language out of home page
FHIR-49142 Update invalid conformance language
FHIR-49143 Representation/formatting of word may be confused as conformance language
FHIR-49174 Clarify token use must be consistent with authorization context
FHIR-49175 Expand introduction to explain trust communities and certificate-based trust
FHIR-49176 Update UDAP.org STU1 links
FHIR-49177 Require supported signing algorithms for registration in server metadata
FHIR-49178 Move US Realm requirements from 5.2.1.1; Change subject_id to recommend NPI
FHIR-49179 Remove reference to SMART configuration for scope negotiation
FHIR-49180 Consolidate scope negotiation requirements, add trust community scope guidance
FHIR-49181 Clarify how certification template is used and the non-normative nature of examples
FHIR-49182 Clarify that additional signature algorithms may be used
FHIR-49184 Add underlying UDAP.org reference for “extensions” parameter
FHIR-49185 Add guidance on how to use this IG and SMART App Launch framework together
FHIR-49186 Add section level references to validation steps in UDAP specifications
FHIR-49187 Move JWT requirements to General Requirements page
FHIR-49239 Clarify signed metadata has precedence over plain JSON elements
FHIR-49241 Add alternative workflow using “jku” instead of “x5c” (experimental)
FHIR-49242 Clarify that clients will terminate workflow if server metadata is not trusted
FHIR-49631 Clarify that unassigned parameters should be omitted from registration response
FHIR-49632 Clarify addition and removal of scopes by server during scope negotiation
FHIR-49633 Example narrative should be for B2C and authorization code in 3.2.2
FHIR-50137 Clarify scope negotiation errors for token vs. registration requests
FHIR-50929 Remove dependency of hl7.fhir.us.core: 3.1.1
FHIR-50963 Specify the IG standards status
FHIR-51052 Clarify URI normalization expectations in JWTs
FHIR-51054 Add time synchronization to community checklist
FHIR-51150 Add PKI policies as separate trust community checklist item
FHIR-51161 Clarify additional Authorization Extension Objects are allowed for B2B workflows
FHIR-51244 Pluralize exchange_purpose in example certification keys table

Version 1.1.0 - STU1 Update 1

Ticket Ticket Description
FHIR-40459 Clarify client is required to validate signed_metadata as per the UDAP server metadata profile
FHIR-40579 Correct inactive link in Required UDAP Metadata
FHIR-40601 Correct invalid link to HL7 SMART App Launch IG history
FHIR-40791 Clarify “aud” value in authentication JWTs
FHIR-41517 Clarify algorithm used by servers to sign UDAP metadata
FHIR-43002 Clarify that support for B2B extension is required for servers that support client credentials grants
FHIR-43007 Clarify conformance strength of algorithms by listing as a table
FHIR-43008 Clarify “jti” reuse is permitted after expiration of any previous JWTs using same value
FHIR-43014 Correct status code to be returned by server when community is not recognized or not supported
FHIR-43021 Add missing hyperlinks for certain UDAP profiles
FHIR-43048 Clarify servers must respond to GET requests for metadata
FHIR-43116 Clarify that registration updates are requested within the context of the client’s trust community
FHIR-43121 Remove duplicated requirements for “iss” parameter in software statement
FHIR-43554 Clarify allowed registration claims returned by server may be different than claims submitted in software statement
FHIR-51423 State IG FMM maturity level