Auditevent for OAuth token issuance

Where to Include the unique identifier from the OAuth token in AuditEvent resource?

Hi Jerin,

This is not yet a decided point. In IHE, we just defined to record the username, as this is the thing that is most likely to be looked up in a directory. Further, there is no expectation that AuditEvent fully duplicate the logs that are otherwise available from common IT systems like the Authorization Server.

However there has been some discussion that recording the token identifier might be useful for those that can lookup that identifier during forensic analysis.

I am in the process of writing an Implementation Guide in IHE that will elaborate on these topics - IHE.ITI.BASICAUDIT\Patient Demographics Query for Mobile - FHIR v4.0.1
This is a work in progress, with expected Public Comment in February. I welcome participation and comments on it.

I would think that this could easily be preserved in an AuditEvent.agent.who.identifier, where the .system would identify the AuthZ server, and the .value would be the token unique identifier.

The question is if this should be added to the .agent element that holds the username from the token, or if this should be another .agent holding only the unique identifier?

Would that seem right to you?

Thank You John ,

Is it possible to search AuditEvent using token unique identifier if token Identifier is added to AuditEvent.agent.who.identifier.value

yes it is possible. a token search parameter is used against Reference datatypes, and there is an explanation that when searching on reference.identifier one uses the “:identifier” modifier.
of course that is dependent on the server implementing this.