Netherlands - Generic Functions for data exchange Implementation Guide
0.3.0 - ci-build
Netherlands - Generic Functions for data exchange Implementation Guide
0.3.0 - ci-build
Netherlands - Generic Functions for data exchange Implementation Guide, published by Stichting Nuts. This guide is not an authorized publication; it is the continuous build for version 0.3.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/nuts-foundation/nl-generic-functions-ig/ and changes regularly. See the Directory of published versions
The ServiceProviderDelegationCredential proves that a healthcare provider authorizes a service provider to act on its behalf within a defined authorization scope.
It records the delegation from a healthcare provider to a service provider and is consumed before an access token is issued.
It confirms delegation, not system authorization; the system authorization of the service provider is carried by the ServiceProviderCredential.
Purpose: Assert that a healthcare provider has authorized a service provider to act on its behalf, within the scope of an authorization rule from the applicable agreement framework (afspraakstelsel).
Issuer: did:web of the healthcare provider that delegates the authority.
Subject: did:web of the service provider receiving the delegation.
Status: draft
Data model: W3C Verifiable Credentials Data Model 1.1
VC type: ["VerifiableCredential", "ServiceProviderDelegationCredential"]
Proof type: JWT
Signature algorithm: ES256 (recommended), ES512 or PS256
Revocation method: Bitstring Status List v1.0 via the optional credentialStatus field (not currently used).
Proof of Possession: presenter is holder: the identifier of the presenter MUST equal the credential subject identifier.
Trust anchors: the healthcare provider that issues the delegation. Framework-specific issuer and trust requirements are defined per agreement framework; see Agreement framework specifics.
This credential records that a healthcare provider has delegated a defined set of authorized actions to a service provider. It confirms the delegation, not the system authorization of the service provider, which is carried by the ServiceProviderCredential.
The credential names the delegating healthcare provider (hasDelegation.issuedBy) by its URA number. The binding between that URA number and the issuer did:web of the healthcare provider must be established through a HealthcareProviderCredential presented in the same Verifiable Presentation.
The set of valid values for authorizationRule and authorizedActions is determined by the applicable agreement framework (afspraakstelsel); see Agreement framework specifics for the AORTA definitions.
All fields below are scoped to credentialSubject.
| Path | IRI | Card. | Description / validation |
|---|---|---|---|
id |
- | 0..1 | did:web of the service provider; if present, MUST equal the sub claim |
@type |
gis:ServiceProvider |
1 | Always ServiceProvider |
hasDelegation.@type |
gis:Delegation |
1 | Always Delegation |
hasDelegation.issuedBy.@type |
gis:HealthcareProvider |
1 | Always HealthcareProvider |
hasDelegation.issuedBy.identifier.@type |
schema:PropertyValue |
1 | Always Identifier |
hasDelegation.issuedBy.identifier.system |
schema:propertyID |
1 | Always http://fhir.nl/fhir/NamingSystem/ura |
hasDelegation.issuedBy.identifier.value |
schema:value |
1 | URA number of the delegating healthcare provider |
hasDelegation.scope.@type |
gis:DelegationScope |
1 | Always DelegationScope |
hasDelegation.scope.authorizationRule |
gis:authorizationRule |
1 | URI of the authorization rule under which the delegation is issued |
hasDelegation.scope.authorizedActions |
gis:authorizedActions |
1..* | Authorized actions within the authorization rule |
The credential expresses the following entity model:
graph TD
VC[ServiceProviderDelegationCredential]
VC -->|issuer| ISSUER["did:web (healthcare provider)"]
VC -->|credentialSubject| SP["ServiceProvider"]
SP -->|id| SPID["did:web:dienstverlener.example.nl"]
SP -->|hasDelegation| DEL["Delegation"]
DEL -->|issuedBy| HP["HealthcareProvider"]
HP -->|identifier| HPID["Identifier"]
HPID -->|system| HPSYS["http://fhir.nl/fhir/NamingSystem/ura"]
HPID -->|value| HPVAL["12345678 (URA)"]
DEL -->|scope| SCOPE["DelegationScope"]
SCOPE -->|authorizationRule| RULE["https://aorta.example.nl/authorizations/gtk"]
SCOPE -->|authorizedActions| ACTIONS["[tokenRequest, presentCredentials]"]
The credential uses the GIS JSON-LD context.
The following is a non-normative example of a ServiceProviderDelegationCredential using the W3C Verifiable Credentials Data Model 1.1 JWT encoding, using values from the AORTA agreement framework (see Agreement framework specifics). It asserts that the healthcare provider with URA 12345678 has authorized the service provider did:web:dienstverlener.example.nl to perform the actions tokenRequest and presentCredentials.
JWT Header:
{
"alg": "ES256",
"typ": "JWT",
"kid": "did:web:zorginstelling.example.nl#keys-1"
}
JWT Payload:
{
"iss": "did:web:zorginstelling.example.nl",
"sub": "did:web:dienstverlener.example.nl",
"jti": "urn:uuid:4c2a1f3e-9a5b-4f90-8d3e-abcdef123456",
"nbf": 1740000000,
"exp": 1786320000,
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"http://gis-nl.example/"
],
"type": [
"VerifiableCredential",
"ServiceProviderDelegationCredential"
],
"issuanceDate": "2025-02-20T00:00:00Z",
"expirationDate": "2026-08-08T00:00:00Z",
"credentialSubject": {
"id": "did:web:dienstverlener.example.nl",
"@type": "ServiceProvider",
"hasDelegation": {
"@type": "Delegation",
"issuedBy": {
"@type": "HealthcareProvider",
"identifier": {
"@type": "Identifier",
"system": "http://fhir.nl/fhir/NamingSystem/ura",
"value": "12345678"
}
},
"scope": {
"@type": "DelegationScope",
"authorizationRule": "https://aorta.example.nl/authorizations/gtk",
"authorizedActions": ["tokenRequest", "presentCredentials"]
}
}
}
}
}
In addition to the generic validation steps from the Credential Catalog, verifiers MUST perform the following checks:
did:web DID of a healthcare provider. Framework-specific issuer requirements apply; see Agreement framework specifics.type array includes ServiceProviderDelegationCredential.sub claim matches credentialSubject.id (if present).credentialSubject.hasDelegation.issuedBy.identifier.value identifies the delegating healthcare provider; its binding to the issuer did:web MUST be established through a HealthcareProviderCredential presented in the same Verifiable Presentation.authorizationRule and authorizedActions MUST be valid within the applicable agreement framework.The main specification above is agreement-framework-generic. The issuer identity and the value sets for authorizationRule and authorizedActions are defined per agreement framework (afspraakstelsel).
Within the AORTA agreement framework:
did:web MUST use a .nl top-level domain (e.g. did:web:zorginstelling.example.nl).authorizationRule MUST be an AORTA-defined authorization rule URI (e.g. https://aorta.example.nl/authorizations/gtk).authorizedActions MUST contain one or more AORTA-defined actions (e.g. tokenRequest, presentCredentials).Editorial note: The definitive AORTA value sets for authorizationRule and authorizedActions are still to be determined. The values shown above and in the example are placeholders.