scopes v2
Currently, SMART defines a syntax for OAuth 2.0 scopes referred to as Clinical Scope Syntax
Expressed in EBNF notation, the clinical scope syntax is:
clinical-scope ::= ( 'patient' | 'user' ) '/' ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' )`
This diagram should be updated to include system alongside patient and user per SMART Backend Services.
Although, this current scope syntax has worked well in many ways, additional needs have been uncovered during its widespread implementation.
A patient, authorizing an exercise app to read or write her steps, blood pressure or heart rate, may not wish that app to be able to access lab results, such as HIV or pregnancy status. Currently, SMART groups these data categories together as patient/Observation.[read|write]. FHIR distinguishes between these types of Observations via the Observation.category element, which may contain:
- laboratory
- social-history
- procedure
- survey
- activity
- ...
How do we enable the patient to distinguish and authorize between these classes of data? Each of these categories are sufficiently different classes of data for the maturing FHIR data model to distinguish between them. Additional FHIR resources which define category or "subresource" type classes include:
-
Condition.category:problem-list-item,encounter-diagnosis - ... TODO
- Perhaps
Basic.code: <any FHIR resource ...>
Could a simple enhancement to the existing SMART scope syntax enable the patient to distinguish between these classes of data? Something like:
clinical-scope ::= ( 'patient' | 'user' | 'system' ) '/' ( fhir-resource | '*' ) '.' [ fhir-resource-category '.' ] ( 'read' | 'write' | '*' )`
- Patient understandable scopes
- Representation of FHIR "subresources"
- ...