- JSON Web Signature (JWS) [IETF Draft 4]
- JSON Web Token (JWT) [IETF Draft 6]
- JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 [IETF Draft 4]
- JSON Web Algorithms (JWA) [IETF Draft 8]
- Assertion Framework for OAuth 2.0 [IETF Draft 8]
- The OAuth 2.0 Authorization Framework [RFC 6749]
Does this sound vaguely familiar? Recall these seven: MU Stage 1, HITSP C32, C80, C83, IHE XPHR, HL7 CCD, HL7 CDA
Here's the break down:
OAuth 2.0 is being used to support capturing the authorization of the patient [or authorized representative] to allow a client application instance to access PHI on the patient's behalf. The Assertion Framework for OAuth 2.0 specifies the parameters that tell how the client assertion of its identity is being exchanged in the OAuth 2.0 protocol. JWT Bearer token profiles describes how a JWT bearer token is constructed for OAuth 2.0 for client identity and other uses. JWS explains how a signed JWT is exchanged. JWA indicates the algorithms that are used in JWS. And two of these don't yet agree on whether the key for who the principal is "prn" or "sub", or perhaps I don't understand the distinctions being made.
You'll note that NOT listed above is the OAuth Dynamic Client Registration Protocol [IETF Draft 04]. That's because I traded one problem [Dynamic Registration], for five others [to support a signed assertion of client identity] . I'm not sure it was a good trade, but I'm going to plug away at this anyway.
I think we need to develop the Joined JSON Profile for OAuth 2.0 Web Authorization, which I'm going to call J-JWA, as a pun on C-CDA. The biggest challenge for me in all of this is that with the exception of the OAuth 2.0 Framework, the rest of these are in draft form. However, maybe we can address it in J-JWA, and we'll never have to go down that path we've been through before.