I've been prototyping my efforts using OAuth 1.0, and have been following Twitter's pattern. With Twitter, you have to register your app, and get a client key and secret that your app will use later in the Authorization Workflow. But providers don't want to be in the credentialing business at all, and many would love to off-load that responsibility even for patients to others, so why would they now want to credential applications as well.
In the case of Twitter, it is the singular provider of the Twitter API, yet what we want for ABBI is to have numerous providers of the ABBI API. We don't want to have each of those applications to have to register with all of the possible data holders, because then the applications would have to have foreknowledge of all data holders. In fact, based on the consent model, there should not need to be any sort of business relationship between the application developers and the data holders. But we do want to make sure (from the patient's perspective) that these applications aren't just some rogue actor trying to obtain access to patient information.
I looked to see what the Rhex Project had done, considering they were implementing OAuth 2.0, but no luck. Page 11 of the Rhex OAuth 2.0 Profile (.doc) states:
Confidential Clients register a JSON Web Key (JWK) with a trusted Authorization Server prior to conducting health exchange transactions.So even they require a registration step.
There are a couple of ways to avoid registration.
Don't Use oauth_consumer_keyOAuth 1.0 doesn't require the oauth_consumer_key to be present in the Authorization workflow or in API calls, nor is it required to have a value. The whole idea that the client application has to register could be ignored. But, one advantage that oauth_consumer_key and oauth_consumer_secret support is the idea that activities performed by applications on behalf of a user can be traced back to a specific application. This is rather beneficial. If my data was downloaded, I'd really like to know which app did it when I check the logs.
I'd like to avoid dropping the oauth_consumer_key if possible. There's simply no way to convey the client application identity if you do that.
Negotiate oauth_consumer_key without a RegistrationOAuth 1.0 leaves completely unspecified the means by which the consumer_key and consumer_secret values are exchanged with the client application. This is by design. With Twitter, there's a developer's API page you use, and you request keys via the web. But there could be any number of other mechanisms by which client keys and secrets are exchanged, some of which could be done without a registration step.
Key features of the client key and secret that need to be preserved:
- The key needs to uniquely identify the client application, and be distinct from any other client application.
- The secret needs to be something that that only the server (data holder) and the client application could have knowledge of.
I have a solution in mind that involves consumer key and secret exchanges with the client application's web-site. There are several challenges that have to be surmounted in order for this to work, but I'm going to spend some time thinking on this.