Hi All,
We are implementing pub-sub system based on FHIR Subscription and Notification Resources.
At present evaluating best practices for securing callback url endpoint.
FHIR Subscription specification says in one example to pass Auth token as header itself in subscription.
Is there any other way which industry has implemented or defined.
There is still a bit of an open question on the security piece here. The approaches I am aware of for testing right now are:
- Auth as header value (e.g., bearer token)
- SMART Backend Services Auth: HL7.FHIR.UV.SMART-APP-LAUNCH\Backend Services - FHIR v4.0.1
- Out of band auth
I am hoping to dedicate some time to discussion and testing of this at the Connectathon in September.