Security and Trust

How sanguine is the FHIR community with OAuth/OIDC as an effective authentication/authorization method?

Quite. The Smart on FHIR specification - including its profiles on OAuth 2 and OIDC are likely to be integrated into the FHIR specification as part of the release after STU 3 is published. They are a natural fit for RESTful interoperability and can be used for the other paradigms as well.

Aren’t there any concerns about OAuth2 security and/or OIDC ergonomics? In other words, OAuth has poor IAM capability and OIDC could be seen as problematic to end users

I could hardly say there are “no concerns” :slight_smile:

Overall, with careful implementation and attention to details (security-wise and UX-wise), these are the best standards i’ve seen for the job. OAuth and OIDC are widely used across the consumer web, which is a positive sign in my book — and community knowledge of good practices grows over time.

Are there specific alternatives you’re exploring in the space of standards-based authorization (and authentication)?


There are!

First, let me say how delighted I am by your attention (as your thought leadership in all things FHIR have been an inspiration to many).

Indeed, as but one of he “many”,I am now drafting a White Paper to describe the work that my small company is doing in this specific area (and, of course, we’d be honored to have you review its first draft). The core idea involves more sophisticated (enterprise-to-military-grade) IAM and CA techniques front-ending a blockchained repository of fine-grained patient permissions.

Anyway, I’ll look froward to sharing these ideas in hopes of your comments soon.

`till then, all the best

Dr Mandel

I’ve just finished a rough draft of the white paper (discussing a project aimed at addressing several perceived weaknesses in the otherwise pivotal FHIR framework) that I mentioned previosly. We’re also scratching our heads a bit at the moment on how best to proceed with this idea.

Anyway, inasmuch as your work is mentioned several times in this piece, I was hoping to get your reaction to its merits; and, if you’re so inclined, any suggestions on how we should move it forward would be most appreciated. Please send me the best address to mail you a link for downloading

`till then, all the best

FWIW, `not sure I agree. As it is, OAuth is a loose consumer grade AAA framework with serious security and other percievably ill-fitting characteristics. I would be happy to expound upon how those may be addressed if you’re interested. But IMHO, these real and percieved weaknesses could compromise FHIR adoption (and provide more than ample cover to those wishing to limit its use)

Thanks! Please feel free to share a draft with me by email (jmandel, at med dot harvard dot edu) – or better yet, if you could post it somewhere for the community to review.

Quick question: Would you log-on to your on-line banking account via OAuth2/OIDC?