scopes v2
Currently, SMART defines a syntax for OAuth 2.0 scopes referred to as Clinical Scope Syntax
Expressed in EBNF notation, the clinical scope syntax is:
clinical-scope ::= ( 'patient' | 'user' ) '/' ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' )`
This diagram should be updated to include system alongside patient and user per SMART Backend Services.
Although this current scope syntax has worked well in many ways, additional needs have been uncovered during its widespread implementation.
A patient, authorizing an exercise app to read or write her steps, blood pressure or heart rate, may not wish that app to be able to access lab results, such as HIV or pregnancy status. Currently, SMART groups these data categories together as patient/Observation.[read|write]. FHIR distinguishes between these types of Observations via the Observation.category element, which may contain:
- laboratory
- social-history
- procedure
- survey
- activity
- ...
Depending upon her age, the patient's electronic health data may stretch back to birth. Should the app be able to access details about her chicken pox from childhood? Alternatively, she should be able to restrict the app to only active Conditions, allergies and meds.
Similarly, the patient may not wish to share her contact information, such as email, phone numbers and home addresses -- to prevent everything from simple spam to domestic violence.
- Patient understandable scopes
- Representation of FHIR "subresources"
- active-only
- contact-information
- ...
clinical-scope ::= ( 'patient' | 'user' | 'system' ) '/' ( fhir-resource ) '.' [ ('active-only' | 'no-contact' ) '.'] [ fhir-resource-category '.' ] ( 'read' | 'write' | 'search' | 'update' | 'delete' )`