smart_app_launch_test_kit 0.6.3 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. checksums.yaml +4 -4
  2. data/lib/smart_app_launch/app_redirect_test.rb +3 -0
  3. data/lib/smart_app_launch/backend_services_authorization_request_success_test.rb +1 -0
  4. data/lib/smart_app_launch/backend_services_authorization_response_body_test.rb +11 -0
  5. data/lib/smart_app_launch/backend_services_invalid_client_assertion_test.rb +1 -0
  6. data/lib/smart_app_launch/backend_services_invalid_grant_type_test.rb +1 -0
  7. data/lib/smart_app_launch/client_stu2_2_suite.rb +8 -0
  8. data/lib/smart_app_launch/client_suite/access_alca_interaction_test.rb +5 -0
  9. data/lib/smart_app_launch/client_suite/access_alcs_interaction_test.rb +5 -0
  10. data/lib/smart_app_launch/client_suite/access_alp_interaction_test.rb +4 -0
  11. data/lib/smart_app_launch/client_suite/access_bsca_interaction_test.rb +3 -0
  12. data/lib/smart_app_launch/client_suite/authorization_request_verification_test.rb +11 -0
  13. data/lib/smart_app_launch/client_suite/registration_alca_group.rb +1 -1
  14. data/lib/smart_app_launch/client_suite/registration_alca_verification_test.rb +6 -1
  15. data/lib/smart_app_launch/client_suite/registration_alcs_verification_test.rb +4 -1
  16. data/lib/smart_app_launch/client_suite/registration_alp_verification_test.rb +3 -1
  17. data/lib/smart_app_launch/client_suite/registration_bsca_verification_test.rb +4 -0
  18. data/lib/smart_app_launch/client_suite/token_request_alca_verification_test.rb +15 -0
  19. data/lib/smart_app_launch/client_suite/token_request_alcs_verification_test.rb +6 -0
  20. data/lib/smart_app_launch/client_suite/token_request_alp_verification_test.rb +9 -0
  21. data/lib/smart_app_launch/client_suite/token_request_bsca_verification_test.rb +9 -1
  22. data/lib/smart_app_launch/client_suite/token_use_verification_test.rb +2 -1
  23. data/lib/smart_app_launch/code_received_test.rb +4 -0
  24. data/lib/smart_app_launch/cors_metadata_request_test.rb +2 -0
  25. data/lib/smart_app_launch/cors_openid_fhir_user_claim_test.rb +2 -0
  26. data/lib/smart_app_launch/cors_token_exchange_test.rb +2 -0
  27. data/lib/smart_app_launch/cors_well_known_endpoint_test.rb +2 -0
  28. data/lib/smart_app_launch/ehr_launch_group.rb +4 -0
  29. data/lib/smart_app_launch/openid_connect_group_stu2_2.rb +1 -0
  30. data/lib/smart_app_launch/openid_decode_id_token_test.rb +2 -1
  31. data/lib/smart_app_launch/openid_fhir_user_claim_test.rb +1 -0
  32. data/lib/smart_app_launch/openid_required_configuration_fields_test.rb +2 -0
  33. data/lib/smart_app_launch/openid_retrieve_configuration_test.rb +1 -1
  34. data/lib/smart_app_launch/openid_retrieve_jwks_test.rb +3 -1
  35. data/lib/smart_app_launch/openid_token_header_test.rb +2 -0
  36. data/lib/smart_app_launch/openid_token_payload_test.rb +2 -0
  37. data/lib/smart_app_launch/requirements/generated/smart_access_brands_requirements_coverage.csv +1 -0
  38. data/lib/smart_app_launch/requirements/generated/smart_client_stu2_2_requirements_coverage.csv +193 -0
  39. data/lib/smart_app_launch/requirements/generated/smart_requirements_coverage.csv +1 -0
  40. data/lib/smart_app_launch/requirements/generated/smart_stu2_2_requirements_coverage.csv +305 -0
  41. data/lib/smart_app_launch/requirements/generated/smart_stu2_requirements_coverage.csv +1 -0
  42. data/lib/smart_app_launch/requirements/hl7.fhir.uv.smart-app-launch_2.0.0_Requirements.xlsx +0 -0
  43. data/lib/smart_app_launch/requirements/hl7.fhir.uv.smart-app-launch_2.2.0_Requirements.xlsx +0 -0
  44. data/lib/smart_app_launch/requirements/smart_app_launch_test_kit_requirements.csv +1017 -0
  45. data/lib/smart_app_launch/smart_access_brands_group.rb +1 -0
  46. data/lib/smart_app_launch/smart_access_brands_retrieve_bundle_test.rb +4 -1
  47. data/lib/smart_app_launch/smart_access_brands_validate_brands_test.rb +2 -0
  48. data/lib/smart_app_launch/smart_access_brands_validate_bundle_test.rb +5 -1
  49. data/lib/smart_app_launch/smart_access_brands_validate_endpoint_urls_test.rb +1 -0
  50. data/lib/smart_app_launch/smart_access_brands_validate_endpoints_test.rb +3 -1
  51. data/lib/smart_app_launch/smart_stu2_2_suite.rb +8 -0
  52. data/lib/smart_app_launch/standalone_launch_group.rb +4 -0
  53. data/lib/smart_app_launch/token_introspection_group_stu2_2.rb +1 -0
  54. data/lib/smart_app_launch/token_introspection_response_group.rb +9 -2
  55. data/lib/smart_app_launch/token_refresh_body_test.rb +6 -0
  56. data/lib/smart_app_launch/token_refresh_stu2_test.rb +2 -1
  57. data/lib/smart_app_launch/token_refresh_test.rb +1 -1
  58. data/lib/smart_app_launch/token_response_body_test_stu2_2.rb +8 -0
  59. data/lib/smart_app_launch/token_response_headers_test.rb +2 -0
  60. data/lib/smart_app_launch/version.rb +2 -2
  61. data/lib/smart_app_launch/well_known_capabilities_stu2_test.rb +9 -1
  62. data/lib/smart_app_launch/well_known_endpoint_test.rb +5 -0
  63. metadata +26 -4
data/lib/smart_app_launch/requirements/smart_app_launch_test_kit_requirements.csv ADDED
@@ -0,0 +1,1017 @@
1
+ Req Set,ID,URL,Requirement,Conformance,Actors,Sub-Requirement(s),Conditionality,Not Tested Reason,Not Tested Details
2
+ hl7.fhir.uv.smart-app-launch_2.0.0,1,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,"Apps SHALL ensure that sensitive information (authentication secrets, authorization codes, tokens) is transmitted ONLY to authenticated servers, over TLS-secured channels",SHALL,Client,,,,
3
+ hl7.fhir.uv.smart-app-launch_2.0.0,2,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,Apps SHALL generate an unpredictable `state` parameter for each user session,SHALL,Client,,,,
4
+ hl7.fhir.uv.smart-app-launch_2.0.0,3,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,Apps SHALL... include `state` with all authorization requests,SHALL,Client,,,,
5
+ hl7.fhir.uv.smart-app-launch_2.0.0,4,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,App SHALL ... validate the `state` value for any request sent to its redirect URL.,SHALL,Client,,,,
6
+ hl7.fhir.uv.smart-app-launch_2.0.0,5,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,An app SHALL NOT execute untrusted user-supplied inputs as code.,SHALL NOT,Client,,,,
7
+ hl7.fhir.uv.smart-app-launch_2.0.0,6,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,An app SHALL NOT forward values passed back to its redirect URL to any other arbitrary or user-provided URL (a practice known as an “open redirector”).,SHALL NOT,Client,,,,
8
+ hl7.fhir.uv.smart-app-launch_2.0.0,7,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,An app SHALL NOT store bearer tokens in cookies that are transmitted as clear text.,SHALL NOT,Client,,,,
9
+ hl7.fhir.uv.smart-app-launch_2.0.0,8,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,Apps SHOULD persist tokens and other sensitive data in app-specific storage locations only,SHOULD,Client,,,,
10
+ hl7.fhir.uv.smart-app-launch_2.0.0,9,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#app-protection,Apps... SHOULD NOT persist [tokens and other sensitive data] … in system-wide-discoverable locations.,SHOULD,Client,,,,
11
+ hl7.fhir.uv.smart-app-launch_2.0.0,10,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#support-for-public-and-confidential-apps,"any “secret” key, code, or string that is statically embedded in the app can potentially be extracted by an end-user or attacker. Hence security for these apps cannot depend on secrets embedded at install-time.",SHOULD NOT,Client,,,,
12
+ hl7.fhir.uv.smart-app-launch_2.0.0,11,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#use-the-confidential-app--profile-if-your-app-is-able-to-protect-a-secret,"Use the `confidential app` profile if your app is able to protect a secret
13
+
14
+ Example: App runs on a trusted server with only server-side access to the secret
15
+ Example: App is a native app that uses additional technology (such as dynamic client registration and universal redirect_uris) to protect the secret",SHOULD,Client,,,,
16
+ hl7.fhir.uv.smart-app-launch_2.0.0,12,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#use-the-confidential-app--profile-if-your-app-is-able-to-protect-a-secret,"Use the `public app` profile if your app is unable to protect a secret
17
+
18
+ Example: App is an HTML5 or JS in-browser app (including single-page applications) that would expose the secret in user space
19
+ Example: App is a native app that can only distribute a secret statically",SHOULD,Client,,,,
20
+ hl7.fhir.uv.smart-app-launch_2.0.0,13,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#considerations-for-pkce-support,All SMART apps SHALL support Proof Key for Code Exchange [(PKCE)](https://tools.ietf.org/html/rfc7636),SHALL,Client,,,,
21
+ hl7.fhir.uv.smart-app-launch_2.0.0,14,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#considerations-for-pkce-support,SMART servers [supporting the [PKCE](https://tools.ietf.org/html/rfc7636)] SHALL support the `S256` `code_challenge_method`,SHALL,Server,,,,
22
+ hl7.fhir.uv.smart-app-launch_2.0.0,15,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#considerations-for-pkce-support,SMART servers [supporting the [PKCE](https://tools.ietf.org/html/rfc7636)] … SHALL NOT support the `plain` method.,SHALL NOT,Server,,,,
23
+ hl7.fhir.uv.smart-app-launch_2.0.0,16,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support,"Servers that support purely browser-based apps SHALL enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) as follows: ... For requests from any origin, CORS configuration permits access to the public discovery endpoints (`.well-known/smart-configuration` and `metadata`)",DEPRECATED,Server,,,,
24
+ hl7.fhir.uv.smart-app-launch_2.0.0,17,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support,"Servers that support purely browser-based apps SHALL enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) as follows: ... For requests from a client’s registered origin(s), CORS configuration permits access to the token endpoint and to FHIR REST API endpoints",DEPRECATED,Server,,,,
25
+ hl7.fhir.uv.smart-app-launch_2.0.0,18,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#smart-authorization--fhir-access-overview,[In the SMART APP Launch process] the complete URLs of all apps approved for use by users of this EHR [SHALL] ... have been registered with the EHR authorization server.,SHALL,Server,,,,
26
+ hl7.fhir.uv.smart-app-launch_2.0.0,19,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#register-app-with-ehr,"SMART does not specify a standards-based registration process, but we encourage EHR implementers to consider the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591) for an out-of-the-box solution.",MAY,Server,,,,
27
+ hl7.fhir.uv.smart-app-launch_2.0.0,20,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request,"at registration time every SMART app SHALL:
28
+
29
+ Register zero or more fixed, fully-specified launch URL with the EHR’s authorization server",SHALL,Client,,,,
30
+ hl7.fhir.uv.smart-app-launch_2.0.0,21,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request,"at registration time every SMART app SHALL: ...
31
+ Register one or more fixed, fully-specified `redirect_uri` s with the EHR’s authorization server.",SHALL,Client,,,,
32
+ hl7.fhir.uv.smart-app-launch_2.0.0,22,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request,"For confidential clients, additional registration-time requirements are defined based on the client authentication method. ... For asymmetric client authentication: a [JSON Web Key Set or JWSK URL](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys) is established",SHALL,Client,,,,
33
+ hl7.fhir.uv.smart-app-launch_2.0.0,23,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request,"For confidential clients, additional registration-time requirements are defined based on the client authentication method. ...
34
+ For symmetric client authentication: a [client secret](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) is established",SHALL,Client,,,,
35
+ hl7.fhir.uv.smart-app-launch_2.0.0,24,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response,The EHR confirms the app’s registration parameters and communicates a `client_id` to the app.,SHALL,Server,,,,
36
+ hl7.fhir.uv.smart-app-launch_2.0.0,25,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#smart-authorization--fhir-access-overview,"In a standalone launch, when the app launches from outside an EHR session, the app can request context from the EHR authorization server.",DEPRECATED,Client,,,,
37
+ hl7.fhir.uv.smart-app-launch_2.0.0,26,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#smart-authorization--fhir-access-overview,"Once an app receives a launch request, [In a standalone launch] it requests authorization to access FHIR resources by instructing the browser to navigate to the EHR’s authorization endpoint.",DEPRECATED,Client,,,,
38
+ hl7.fhir.uv.smart-app-launch_2.0.0,27,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#smart-authorization--fhir-access-overview,"[When an app requests authorization to access FHIR resources in a standalone launch] Based on pre-defined rules and possibly end-user authorization, the EHR authorization server either grants the request by returning an authorization code to the app’s redirect URL or denies the request",DEPRECATED,Server,,,,
39
+ hl7.fhir.uv.smart-app-launch_2.0.0,28,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#smart-authorization--fhir-access-overview,"[When an app requests authorization to access FHIR resources in a standalone launch] The app then exchanges the authorization code for an access token. The app presents the access token to the EHR’s resource server to access requested FHIR resources. If a refresh token is returned along with the access token, the app may use it to request a new access token with the same scope, once the old access token expires",DEPRECATED,Client,,,,
40
+ hl7.fhir.uv.smart-app-launch_2.0.0,29,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#retrieve-well-knownsmart-configuration,"the app discovers the EHR FHIR server’s SMART configuration metadata, including OAuth `authorization_endpoint` and `token_endpoint` URLs.
41
+ The discovery URL is constructed by appending .well-known/smart-configuration to the FHIR Base URL. The app issues an HTTP GET to the discovery URL with an Accept header supporting application/json.",SHALL,Client,,,,
42
+ hl7.fhir.uv.smart-app-launch_2.0.0,30,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-3,The EHR responds with a SMART configuration JSON document as described in the [Conformance](https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html) section.,SHALL,Server,,,,
43
+ hl7.fhir.uv.smart-app-launch_2.0.0,31,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … the EHR SHALL ensure that the `code_verifier` is present and valid when the code is exchanged for an access token.,SHALL,Server,,,,
44
+ hl7.fhir.uv.smart-app-launch_2.0.0,32,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … [the] `response_type` [parameter is] required [and SHALL contain the] fixed value: `code`.,SHALL,Client,,,,
45
+ hl7.fhir.uv.smart-app-launch_2.0.0,33,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … [the] `client_id` [parameter is] required [and SHALL contain the] client's identifier [provided during registration].,SHALL,Client,,,,
46
+ hl7.fhir.uv.smart-app-launch_2.0.0,34,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code... [the] `redirect_uri`[parameter is] required [and] Must match one of the client's pre-registered redirect URIs,SHALL,Client,,,,
47
+ hl7.fhir.uv.smart-app-launch_2.0.0,35,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code … [in the EHR Launch flow, the] `launch`[parameter is required, and] must match the launch value received from the EHR.",SHALL,Client,,,,
48
+ hl7.fhir.uv.smart-app-launch_2.0.0,36,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code … [in the `Standalone Launch` flow, the] `launch` [parameter is] omitted",SHALL,Client,,,,
49
+ hl7.fhir.uv.smart-app-launch_2.0.0,37,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `scope` [parameter is] `required` [and m]ust describe the access that the app needs.,SHALL,Client,,,,
50
+ hl7.fhir.uv.smart-app-launch_2.0.0,38,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `scope` [parameter is] `required` [and] Must ... [include] either: a `launch` value indicating that the app wants to receive already-established launch context details from the EHR [or] a set of launch context requirements in the form `launch/patient`, which asks the EHR to establish context on your behalf.",DEPRECATED,Client,,,,
51
+ hl7.fhir.uv.smart-app-launch_2.0.0,39,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `state` [parameter is] `required` [and] The parameter SHALL be used for preventing cross-site request forgery or session fixation attacks,SHALL,Client,,,,
52
+ hl7.fhir.uv.smart-app-launch_2.0.0,40,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `state` [parameter is] `required` [and] ... The app SHALL use an unpredictable value for the state parameter with at least 122 bits of entropy (e.g., a properly configured random uuid is suitable).",SHALL,Client,,,,
53
+ hl7.fhir.uv.smart-app-launch_2.0.0,41,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `aud` [parameter is] `required` ... [and SHALL contain the] URL of the EHR resource server from which the app wishes to retrieve FHIR data.
54
+ (Note that in the case of an EHR launch flow, this `aud` value is the same as the launch's `iss` value.)",SHALL,Client,,,,
55
+ hl7.fhir.uv.smart-app-launch_2.0.0,42,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … servers SHALL support the `aud` parameter,SHALL,Client,,,,
56
+ hl7.fhir.uv.smart-app-launch_2.0.0,43,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … servers MAY support a `resource` parameter as a synonym for `aud`.,MAY,Client,,,,
57
+ hl7.fhir.uv.smart-app-launch_2.0.0,44,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `code_challenge` [parameter is] `required` ... [and] is generated by the app and used for the code challenge, as specified by [PKCE](https://tools.ietf.org/html/rfc7636).
58
+ See [considerations-for-pkce-support](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support).",SHALL,Client,,,,
59
+ hl7.fhir.uv.smart-app-launch_2.0.0,45,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `code_challenge_method` [parameter is] `required` ... [and Shall include the] Method used for the `code_challenge` parameter.,SHALL,Client,,,,
60
+ hl7.fhir.uv.smart-app-launch_2.0.0,46,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code ... The app SHOULD limit its requested scopes to the minimum necessary (i.e., minimizing the requested data categories and the requested duration of access).",SHOULD,Client,,,,
61
+ hl7.fhir.uv.smart-app-launch_2.0.0,47,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"[When an app requests an authorization code] If the app needs to authenticate the identity of or retrieve information about the end-user, it should include two OpenID Connect scopes: `openid` and `fhirUser`. When these scopes are requested and the request is granted, the app will receive an id_token along with the access token.",SHALL,Client,,,,
62
+ hl7.fhir.uv.smart-app-launch_2.0.0,48,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,Authorization Servers SHALL support the use of the HTTP GET ... at the Authorization Endpoint,SHALL,Server,,,,
63
+ hl7.fhir.uv.smart-app-launch_2.0.0,49,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,Authorization Servers SHALL support the use of the HTTP .. POST ... at the Authorization Endpoint,SHALL,Server,,,,
64
+ hl7.fhir.uv.smart-app-launch_2.0.0,50,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,Clients SHALL use either the HTTP GET or the HTTP POST method to send the Authorization Request to the Authorization Server.,SHALL,Client,,,,
65
+ hl7.fhir.uv.smart-app-launch_2.0.0,51,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"If [clients are] using the HTTP GET method [for Authorization Requests], the request parameters are serialized using URI Query String Serialization.",SHALL,Client,,,,
66
+ hl7.fhir.uv.smart-app-launch_2.0.0,52,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-4,"If [clients are] using the HTTP POST method [for Authorization Requests], the request parameters are serialized using Form Serialization and the application/x-www-form-urlencoded content type.",SHALL,Client,,,,
67
+ hl7.fhir.uv.smart-app-launch_2.0.0,53,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,The EHR decides whether to grant ... access [in response to an Authorization Request]. This decision is communicated to the app when the EHR authorization server returns an authorization code,SHALL,Server,,,,
68
+ hl7.fhir.uv.smart-app-launch_2.0.0,54,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,The EHR decides whether to ... deny access [in response to an Authorization Request]. This decision is communicated to the app when the EHR authorization server returns … an eror response,SHALL,Server,,,,
69
+ hl7.fhir.uv.smart-app-launch_2.0.0,55,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,"Authorization codes [returned in response to an Authorization Request] are short-lived, usually expiring within around one minute.",DEPRECATED,Server,,,,
70
+ hl7.fhir.uv.smart-app-launch_2.0.0,56,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,[When responding to an authorization request] the code is sent when the EHR authorization server causes the browser to navigate to the app’s redirect_uri,SHALL,Server,,,,
71
+ hl7.fhir.uv.smart-app-launch_2.0.0,57,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the] `code` [parameter is] required [and SHALL contain the] The authorization code generated by the authorization server.,SHALL,Server,,,,
72
+ hl7.fhir.uv.smart-app-launch_2.0.0,58,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the authorization code in the] `code` [parameter] ... *must* expire shortly after it is issued to mitigate the risk of leaks,SHOULD,Server,,,,
73
+ hl7.fhir.uv.smart-app-launch_2.0.0,59,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the] `state` [parameter is] required [and SHALL contain t]he exact value received from the client [in parameter of the same name on the authorization request].,SHALL,Server,,,,
74
+ hl7.fhir.uv.smart-app-launch_2.0.0,60,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,[When an authorization repsonse is received t]he app SHALL validate the value of the state parameter [sent by the server] upon return to the redirect URL [matches the value the client sent in the authroization request].,SHALL,Client,,,,
75
+ hl7.fhir.uv.smart-app-launch_2.0.0,61,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-4,"The app… SHALL ensure that the state value [associated with the authorization request and response] is securely tied to the user’s current session (e.g., by relating the state value to a session identifier issued by the app).",SHALL,Client,,,,
76
+ hl7.fhir.uv.smart-app-launch_2.0.0,62,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,After obtaining an authorization code the app trades the code for an access token... [by issusing] an HTTP `POST` to the EHR authorization server’s token endpoint URL using content-type `application/x-www-form-urlencoded` as described in section 4.1.3 of [RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.3).,SHALL,Client,,,,
77
+ hl7.fhir.uv.smart-app-launch_2.0.0,63,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,"For `public apps`, authentication is not required [when making requests to the token endpoint] because a client with no secret cannot prove its identity when it issues a call. (The end-to-end system can still be secure because the client comes from a known, https-protected endpoint specified and enforced by the redirect uri.)",SHALL NOT,Client,,,,
78
+ hl7.fhir.uv.smart-app-launch_2.0.0,64,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,"For `confidential apps`, authentication is required [when making requests to the token endpoint].",SHALL,Client,,,,
79
+ hl7.fhir.uv.smart-app-launch_2.0.0,65,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,"Confidential clients SHOULD use [Asymmetric Authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html) [for authentication when making requests to the token endpoint] if available,",SHOULD,Client,,,,
80
+ hl7.fhir.uv.smart-app-launch_2.0.0,66,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,Confidential clients ... MAY use [Symmetric Authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) [for authentication when making requests to the token endpoint].,MAY,Client,,,,
81
+ hl7.fhir.uv.smart-app-launch_2.0.0,67,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,[When an app requests an access token the] `grant_type`[parameter is] `required` [and SHALL contain the] fixed value: `authorization_code`,SHALL,Client,,,,
82
+ hl7.fhir.uv.smart-app-launch_2.0.0,68,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,[When an app requests an access token the] `code`[parameter is] `required` [and SHALL contain the authorizaion c]ode that the app received from the authorization server,SHALL,Client,,,,
83
+ hl7.fhir.uv.smart-app-launch_2.0.0,69,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,[When an app requests an access token the] `redirect_uri`[parameter is] `required`[and SHALL contain the] same redirect_uri used in the initial authorization request,SHALL,Client,,,,
84
+ hl7.fhir.uv.smart-app-launch_2.0.0,70,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,[When an app requests an access token the] `code_verifier`[parameter is] `required`[and SHALL be] ... used to verify against the `code_challenge` parameter previously provided in the authorize request.,SHALL,Client,,,,
85
+ hl7.fhir.uv.smart-app-launch_2.0.0,71,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,[When an app requests an access token the] `client_id`[parameter is] required for `public apps`,SHALL,Client,,,,
86
+ hl7.fhir.uv.smart-app-launch_2.0.0,72,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-5,[when an app requests an access token the] `client_id`[parameter is] ...omit[ed] for `confidential apps`,SHALL NOT,Client,,,,
87
+ hl7.fhir.uv.smart-app-launch_2.0.0,73,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,The EHR authorization server SHALL return a JSON object that includes an access token or a message indicating that the authorization request has been denied.,SHALL,Server,,,,
88
+ hl7.fhir.uv.smart-app-launch_2.0.0,74,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] 'access_token`[parameter is] `required` [and SHALL contain t]he access token issued by the authorization server,SHALL,Server,,,,
89
+ hl7.fhir.uv.smart-app-launch_2.0.0,75,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `token_type`[parameer is] `required` [and SHALL contain the f]ixed value: `Bearer`,SHALL,Server,,,,
90
+ hl7.fhir.uv.smart-app-launch_2.0.0,76,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `expires_in`[parameter is] `recommended`[and SHOULD contain the l]ifetime in seconds of the access token.,SHOULD,Server,,,,
91
+ hl7.fhir.uv.smart-app-launch_2.0.0,77,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,[When the EHR Authorization servers autorization token expires] the token SHALL NOT be accepted by the resource server,SHALL,Server,,,,
92
+ hl7.fhir.uv.smart-app-launch_2.0.0,78,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `scope`[parameter is] `required` [and SHALL contain the s]cope of access authorized. Note that this can be different from the scopes requested by the app.,SHALL,Server,,,,
93
+ hl7.fhir.uv.smart-app-launch_2.0.0,79,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `scope`[parameter is] can be different from the scopes requested by the app.,MAY,Server,,,,
94
+ hl7.fhir.uv.smart-app-launch_2.0.0,80,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `id_token`[parameter is] `optional` [and MAY contain a]uthenticated user identity and user details, if requested.",MAY,Server,,,,
95
+ hl7.fhir.uv.smart-app-launch_2.0.0,81,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `refresh_token`[parameter is] `optional` [and MAY contain the t]oken that can be used to obtain a new access token, using the same or a subset of the original authorization grants",MAY,Server,,,,
96
+ hl7.fhir.uv.smart-app-launch_2.0.0,82,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `authorization_details`[parameter is] `optional` [and MAY contain a]dditional details describing where this token can be used, and any per-location context",MAY,Server,,,,
97
+ hl7.fhir.uv.smart-app-launch_2.0.0,83,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request] if the app was launched from within a patient context, parameters to communicate the context values MAY BE included.",MAY,Server,,,,
98
+ hl7.fhir.uv.smart-app-launch_2.0.0,84,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request t]he parameters are included in the entity-body of the HTTP response, as described in section 5.1 of [RFC6749](https://tools.ietf.org/html/rfc6749).",SHALL,Server,,,,
99
+ hl7.fhir.uv.smart-app-launch_2.0.0,85,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,The access token is a string of characters as defined in [RFC6749](https://tools.ietf.org/html/rfc6749) and [RFC6750](http://tools.ietf.org/html/rfc6750).,SHALL,Server,,,,
100
+ hl7.fhir.uv.smart-app-launch_2.0.0,86,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,The authorization server’s response SHALL include the HTTP “Cache-Control” response header field with a value of “no-store”,SHALL,Server,,,,
101
+ hl7.fhir.uv.smart-app-launch_2.0.0,87,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,The authorization server’s response SHALL include the HTTP ... “Pragma” response header field with a value of “no-cache”,SHALL,Server,,,,
102
+ hl7.fhir.uv.smart-app-launch_2.0.0,88,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"The EHR authorization server decides what `expires_in` value to assign to an access token ... as defined in section 1.5 of [RFC6749](https://tools.ietf.org/html/rfc6749#page-10), along with the access token.",SHALL,Server,,,,
103
+ hl7.fhir.uv.smart-app-launch_2.0.0,89,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"The EHR authorization server decides ... whether to issue a refresh token, as defined in section 1.5 of [RFC6749](https://tools.ietf.org/html/rfc6749#page-10), along with the access token.",SHALL,Server,,,,
104
+ hl7.fhir.uv.smart-app-launch_2.0.0,90,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,"Apps SHOULD store tokens in app-specific storage locations only, and not in system-wide-discoverable locations.",SHOULD,Client,,,,
105
+ hl7.fhir.uv.smart-app-launch_2.0.0,91,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-5,Access tokens SHOULD have a valid lifetime no greater than one hour.,SHOULD,Server,,,,
106
+ hl7.fhir.uv.smart-app-launch_2.0.0,92,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,Confidential clients may be issued longer-lived tokens than public clients.,MAY,Server,,,,
107
+ hl7.fhir.uv.smart-app-launch_2.0.0,93,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-6,[When] fetch[ing] FHIR Resources… The [Client] app [SHALL} issue a request that includes an `Authorization` header that presents the `access_token` as a “Bearer” token,SHALL,Client,,,,
108
+ hl7.fhir.uv.smart-app-launch_2.0.0,94,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-6,The resource server SHALL validate the access token and ensure that it has not expired,SHALL,Server,,,,
109
+ hl7.fhir.uv.smart-app-launch_2.0.0,95,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-6,The resource server SHALL validate the access token and ensure that … its scope covers the requested resource.,SHALL,Server,,,,
110
+ hl7.fhir.uv.smart-app-launch_2.0.0,96,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-6,The resource server also validates that the `aud` parameter associated with the authorization [request] ... matches the resource server’s own FHIR endpoint.,SHALL,Server,,,,
111
+ hl7.fhir.uv.smart-app-launch_2.0.0,97,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-6,"[When an app may receives] a FHIR resource that contains a “reference” to a resource hosted on a different resource server … [it] SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft.",SHOULD NOT,Client,,,,
112
+ hl7.fhir.uv.smart-app-launch_2.0.0,98,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-6,"[When an app may receives] a FHIR resource that contains a “reference” to a resource hosted on a different resource serve … [it] SHOULD either ignore the reference, or initiate a new request for access to that resource.",SHOULD,Client,,,,
113
+ hl7.fhir.uv.smart-app-launch_2.0.0,99,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#refresh-access-token,EHR implementers are also encouraged to consider using the [OAuth 2.0 Token Introspection Protocol](https://tools.ietf.org/html/rfc7662) to provide an introspection endpoint that clients can use to examine the validity and meaning of tokens.,SHOULD,Server,,,,
114
+ hl7.fhir.uv.smart-app-launch_2.0.0,100,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#refresh-access-token,[The Auth Server SHALL provide a]n app with “online access”... new access tokens as long as the end-user remains online.,SHALL,Server,,,,
115
+ hl7.fhir.uv.smart-app-launch_2.0.0,101,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#refresh-access-token,[The Auth Server SHALL provide a]pps with “offline access”... new access tokens without the user being interactively engaged.,SHALL,Server,,,,
116
+ hl7.fhir.uv.smart-app-launch_2.0.0,102,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#refresh-access-token,A server can decide which client types (public or confidential) are eligible for offline access and able to receive a refresh token.,MAY,Server,,,,
117
+ hl7.fhir.uv.smart-app-launch_2.0.0,103,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#refresh-access-token,A refresh token SHALL be bound to the same `client_id` and SHALL contain the same or a subset of the claims authorized for the access token with which it is associated.,SHALL,Server,,,,
118
+ hl7.fhir.uv.smart-app-launch_2.0.0,104,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#refresh-access-token,A refresh token ... SHALL contain the same or a subset of the claims authorized for the access token with which it is associated.,SHALL,Server,,,,
119
+ hl7.fhir.uv.smart-app-launch_2.0.0,105,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `grant_type` [parameter is] `required`[and SHALL contain the] Fixed value: `refresh_token`,SHALL,Client,,,,
120
+ hl7.fhir.uv.smart-app-launch_2.0.0,106,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `refresh_token` [parameter is] `required`[and SHALL contain the] The refresh token from a prior authorization response,SHALL,Client,,,,
121
+ hl7.fhir.uv.smart-app-launch_2.0.0,107,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `scope` [parameter is] `optional`[and MAY contain the] scopes of access requested.,MAY,Client,,,,
122
+ hl7.fhir.uv.smart-app-launch_2.0.0,108,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-7,"[When requesting a new access token using a refresh token the] `scope` [parameter is] present, it must be a strict sub-set of the scopes granted in the original launch (no new permissions can be obtained at refresh time).",SHALL,Client,,,,
123
+ hl7.fhir.uv.smart-app-launch_2.0.0,109,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] a missing [`scope` parameter] value indicates a request for the same scopes granted in the original launch.,SHALL,Server,,,,
124
+ hl7.fhir.uv.smart-app-launch_2.0.0,110,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `access_token` [parameter is] `required`[and SHALL contain the n]ew access token issued by the authorization server,SHALL,Server,,,,
125
+ hl7.fhir.uv.smart-app-launch_2.0.0,111,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the]`token_type` [parameter is] `required`[and SHALL contain the] Fixed value: bearer,SHALL,Server,,,,
126
+ hl7.fhir.uv.smart-app-launch_2.0.0,112,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `expires_in`[parameter is] `required`[and SHALL contain the] The lifetime in seconds of the access token.,SHALL,Server,,,,
127
+ hl7.fhir.uv.smart-app-launch_2.0.0,113,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter is] `required` [and SHALL contain the] Scope of access authorized,SHALL,Server,,,,
128
+ hl7.fhir.uv.smart-app-launch_2.0.0,114,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter value] will be the same as the scope of the original access token,SHALL,Server,,,,
129
+ hl7.fhir.uv.smart-app-launch_2.0.0,115,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter value] can be different from the scopes requested by the app.,SHALL,Server,,,,
130
+ hl7.fhir.uv.smart-app-launch_2.0.0,116,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `refresh_token` [parameter is] `optional` [and MAY contain the] refresh token issued by the authorization server.,MAY,Server,,,,
131
+ hl7.fhir.uv.smart-app-launch_2.0.0,117,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,"[When receiving a response to a request for a new access token using a refresh token if the] `refresh_token` [parameter is] present, the app should discard any previous refresh_token associated with this launch and replace it with this new value",SHOULD,Client,,,,
132
+ hl7.fhir.uv.smart-app-launch_2.0.0,118,https://hl7.org/fhir/smart-app-launch/STU2/app-launch.html#response-7,"[When responding to a request for a new access token using a refresh token the] if the app was launched from within a patient context, parameters to communicate the context values MAY BE included.",MAY,Server,,,,
133
+ hl7.fhir.uv.smart-app-launch_2.0.0,119,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#smarts-scopes-are-used-to-delegate-access,[When responding to] a client request… of a specific set of access rights; [servers SHALL respect] … underlying system policies and permissions [even if they conflict with granted scopes],SHALL,Server,,,,
134
+ hl7.fhir.uv.smart-app-launch_2.0.0,120,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"[Client, SHALL include scope] `c` for `create`[to request the ability to perform] Type level [create](http://hl7.org/fhir/http.html#create)",SHALL,Client,,,,
135
+ hl7.fhir.uv.smart-app-launch_2.0.0,121,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"[Client, SHALL include scope] `r` for `read` [to request the ability to perform] Instance level [read](http://hl7.org/fhir/http.html#read), Instance level [vread](http://hl7.org/fhir/http.html#vread), and Instance level [history](http://hl7.org/fhir/http.html#history)",SHALL,Client,,,,
136
+ hl7.fhir.uv.smart-app-launch_2.0.0,122,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"[Client, SHALL include scope] `u` for `update`[to request the ability to perform] Instance level [update](http://hl7.org/fhir/http.html#update)] ..., and Instance level [patch](http://hl7.org/fhir/http.html#patch)",SHALL,Client,,,,
137
+ hl7.fhir.uv.smart-app-launch_2.0.0,123,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"Note that some servers allow for an [update operation to create a new instance](http://hl7.org/fhir/http.html#upsert), and this is allowed by the update scope",SHALL,Server,,,,
138
+ hl7.fhir.uv.smart-app-launch_2.0.0,124,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"[Client, SHALL include scope] `d` for `delete` [to request the ability to perform] Type level [delete](http://hl7.org/fhir/http.html#delete)]",SHALL,Client,,,,
139
+ hl7.fhir.uv.smart-app-launch_2.0.0,125,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"[Client, SHALL include scope] `s` for `search`[to request the ability to perform] Type level [search](http://hl7.org/fhir/http.html#search), Type level [history](http://hl7.org/fhir/http.html#history), System level [search](http://hl7.org/fhir/http.html#search), and System level [history](http://hl7.org/fhir/http.html#history)",SHALL,Client,,,,
140
+ hl7.fhir.uv.smart-app-launch_2.0.0,126,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD advertise the `permission-v1` capability in their `.well-known/smart-configuration` discovery document",SHOULD,Server,,,,
141
+ hl7.fhir.uv.smart-app-launch_2.0.0,127,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD … return v1 scopes when v1 scopes are requested and granted",SHOULD,Server,,,,
142
+ hl7.fhir.uv.smart-app-launch_2.0.0,128,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD … process v1 scopes with the following semantics in v2:
143
+ v1 `.read` ⇒ v2 `.rs`
144
+ v1 `.write` ⇒ v2 `.cud`
145
+ v1 `.*` ⇒ v2 `.cruds`",SHOULD,Server,,,,
146
+ hl7.fhir.uv.smart-app-launch_2.0.0,129,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-clinical-data,"Scope requests with undefined or out of order interactions MAY be ignored, replaced with server default scopes, or rejected",MAY,Server,,,,
147
+ hl7.fhir.uv.smart-app-launch_2.0.0,130,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#batches-and-transactions,[B]atch and transaction requests should [SHALL] be validated based on the actual requests within them.,SHALL,Server,,,,
148
+ hl7.fhir.uv.smart-app-launch_2.0.0,131,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scope-equivalence,"In order to reduce token size, it is recommended that scopes be factored to their shortest form.",SHOULD,Client,,,,
149
+ hl7.fhir.uv.smart-app-launch_2.0.0,132,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#finer-grained-resource-constraints-using-search-parameters,"[To request a scope that applies to a subset of instances of a resource type, clients SHALL] add a query string suffix to existing scopes, starting with `?` and followed by a series of `param=value` items separated by `&`",SHALL,Client,,true,,
150
+ hl7.fhir.uv.smart-app-launch_2.0.0,133,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scope-size-over-the-wire,"When initiating an authorization request, app developers should prefer POST-based authorization requests to GET-based requests, since this avoids URL length limits that might apply to GET-based authorization requests.",SHOULD,Client,,,,
151
+ hl7.fhir.uv.smart-app-launch_2.0.0,134,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scope-size-over-the-wire,"[S]ince access tokens are included in HTTP headers, servers should take care to ensure they do not get too large.",SHOULD,Server,,,,
152
+ hl7.fhir.uv.smart-app-launch_2.0.0,135,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#clinical-scope-syntax,"[T]he scope language is [the following sequence of characters:
153
+ - one of ""patient"", ""user"", or ""system""
154
+ - ""/""
155
+ - either a FHIR resource type or ""*""
156
+ - "".""
157
+ - optional ""c""
158
+ - optional ""r""
159
+ - optional ""u""
160
+ - optional ""d""
161
+ - optional ""s""
162
+ - optional ""?"" followed by at least 1 ""<param>=<value>"" pairs, where <param> is a valid search parameter and <value> is a valid corresponding value, with each pair each separated by ""&"" if there are multiple]",SHALL,Client,,,,
163
+ hl7.fhir.uv.smart-app-launch_2.0.0,136,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#patient-specific-scopes,[When granting p]atient-specific scopes [servers promise to] allow [the client to] access to specific data about a single patient. Which patient is not specified here: FHIR Resource scopes are all about *what* and not *who*,SHALL,Server,,,,
164
+ hl7.fhir.uv.smart-app-launch_2.0.0,137,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#patient-specific-scopes,[To request p]atient-specific scopes start [the scope string] with `patient/`,SHALL,Client,,,,
165
+ hl7.fhir.uv.smart-app-launch_2.0.0,138,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#patient-specific-scopes,"Note that some EHRs may not enable access to all related resources [when responding to data requests with a patient-specific scope] (for example, Practitioners linked to/from Patient-specific resources).",MAY,Server,,,,
166
+ hl7.fhir.uv.smart-app-launch_2.0.0,139,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#patient-specific-scopes,"if a FHIR server supports linking one Patient record with another via `Patient.link`, the server documentation SHALL describe its authorization behavior.",SHALL,Server,,,,
167
+ hl7.fhir.uv.smart-app-launch_2.0.0,140,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#user-level-scopes,[When granting u]ser-level scopes [servers promise to] allow [the client] access to specific data that a user can access. Note that this isn’t just data about the user; it’s data available to that user.,SHALL,Server,,,,
168
+ hl7.fhir.uv.smart-app-launch_2.0.0,141,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#user-level-scopes,[To request u]ser-level scopes start [the scope string] with `user/`.,SHALL,Client,,,,
169
+ hl7.fhir.uv.smart-app-launch_2.0.0,142,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#system-level-scopes,"[When granting s]ystem-level scopes [servers promise to allow access to] data that a client system is directly authorized to access; these scopes are useful in cases where there is no user in the loop, such as a data monitoring or reporting service.",SHALL,Server,,,,
170
+ hl7.fhir.uv.smart-app-launch_2.0.0,143,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#system-level-scopes,[To request s]ystem-level scopes start [the scope string] with `system/`.,SHALL,Client,,,,
171
+ hl7.fhir.uv.smart-app-launch_2.0.0,144,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#wildcard-scopes,"[When granting w]ildcard scopes…[servers promise to allow access to] all data for all available FHIR resources, both now and in the future.",SHALL,Server,,,,
172
+ hl7.fhir.uv.smart-app-launch_2.0.0,145,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#wildcard-scopes,[T]he scopes ultimately granted by the authorization server may differ from the scopes requested by the client!,MAY,Server,,,,
173
+ hl7.fhir.uv.smart-app-launch_2.0.0,146,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#wildcard-scopes,"[To request] Wildcard scopes [the scope string SHALL] contain a wildcard (`*`) for the FHIR resource [e.g., `patient/*.cruds`]",SHALL,Client,,,,
174
+ hl7.fhir.uv.smart-app-launch_2.0.0,147,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#wildcard-scopes,clients should examine the granted scopes by the authorization server and respond accordingly. Failure to do so may lead to situations where the client receives an authorization failure by the FHIR server because it attempted to access FHIR resources beyond the granted scopes.,SHOULD,Client,,,,
175
+ hl7.fhir.uv.smart-app-launch_2.0.0,148,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#wildcard-scopes,clients are encouraged to request only the scopes and permissions they need to function and avoid the use of wildcard scopes purely for the sake of convenience,SHOULD,Client,,,,
176
+ hl7.fhir.uv.smart-app-launch_2.0.0,149,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[Context data scopes tell ther server] what context parameters will [SHALL] be provided in the access token response,SHALL,Server,,,,
177
+ hl7.fhir.uv.smart-app-launch_2.0.0,150,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-context-data,To request access to …[context data] an app [SHALL] ask for “launch context” scopes in addition to whatever FHIR Resource access scopes it needs.,SHALL,Client,,,,
178
+ hl7.fhir.uv.smart-app-launch_2.0.0,151,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"To request access to …[context data, the scope string SHALL] begin with `launch`.",SHALL,Client,,,,
179
+ hl7.fhir.uv.smart-app-launch_2.0.0,152,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#standalone-apps,[When clients n]eed patient context at launch time (FHIR Patient resource)[ they SHALL request the `launch/patient` scope].,SHALL,Client,,,,
180
+ hl7.fhir.uv.smart-app-launch_2.0.0,153,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#standalone-apps,[When clients n]eed encounter context at launch time (FHIR Encounter resource)[ they SHALL request the `launch/encounter` scope].,SHALL,Client,,,,
181
+ hl7.fhir.uv.smart-app-launch_2.0.0,154,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,Any SMART EHR MAY extend this list [of context scopes] to support additional context [beyond patient and encounter[..,DEPRECATED,Server,,,,
182
+ hl7.fhir.uv.smart-app-launch_2.0.0,155,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When specifying resource types [for additional launch contexts], convert the type names to all lowercase (e.g., launch/diagnosticreport)",DEPRECATED,Client,,,,
183
+ hl7.fhir.uv.smart-app-launch_2.0.0,156,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"In situations where the same resource type might be used for more than one purpose (e.g., in a medication reconciliation app, one List of at-home medications and another List of in-hospital medications), the app can [(and SHALL if needed)] solicit [launch] context with a specific role by appending `?role={role}` [to the end of the launch context scope].",DEPRECATED,Client,,,,
184
+ hl7.fhir.uv.smart-app-launch_2.0.0,157,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,When using `?role=` in launch context requests: Each requested scope can include at most one role.,DEPRECATED,Client,,,,
185
+ hl7.fhir.uv.smart-app-launch_2.0.0,158,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: ... If an app requires multiple roles, it MAY request multiple scopes",DEPRECATED,Client,,,,
186
+ hl7.fhir.uv.smart-app-launch_2.0.0,159,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: … If an EHR receives a request for an unsupported role, it SHOULD return any launch context supported for the supplied resource type.",DEPRECATED,Server,,,,
187
+ hl7.fhir.uv.smart-app-launch_2.0.0,160,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: … If an EHR receives a request for an unsupported role, … It MAY return alternative roles.",DEPRECATED,Server,,,,
188
+ hl7.fhir.uv.smart-app-launch_2.0.0,161,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"Apps that launch from the EHR will be passed an explicit URL parameter called `launch`, whose value must associate the app’s authorization request with the current EHR session.",SHALL,Client,,,,
189
+ hl7.fhir.uv.smart-app-launch_2.0.0,162,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The application [that launches from an EHR] could choose to also provide `launch/patient`, `launch/encounter`, or other `launch/` scopes as “hints” regarding which contexts the app would like the EHR to gather.",MAY,Client,,,,
190
+ hl7.fhir.uv.smart-app-launch_2.0.0,163,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The EHR MAY ignore these hints [regarding which contexts the app would like the EHR to gather] (for example, if the user is in a workflow where these contexts do not exist).",MAY,Server,,,,
191
+ hl7.fhir.uv.smart-app-launch_2.0.0,164,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"If an application requests a FHIR Resource scope which is restricted to a single patient (e.g., patient/*.rs), and the authorization results in the EHR granting that scope, the EHR SHALL establish a patient in context.",SHALL,Server,,,,
192
+ hl7.fhir.uv.smart-app-launch_2.0.0,165,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The EHR MAY refuse authorization requests including `patient/` that do not also include a valid `launch`, or it MAY infer the `launch/patient` scope.",MAY,Server,,,,
193
+ hl7.fhir.uv.smart-app-launch_2.0.0,166,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#standalone-apps,Standalone apps that launch outside the EHR do not have any EHR context at the outset. These apps must explicitly request EHR context.,SHALL,Client,,,,
194
+ hl7.fhir.uv.smart-app-launch_2.0.0,167,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#standalone-apps,"[when a standalone app requests EHR context] The EHR SHOULD provide the requested context if requested by the following scopes, unless otherwise noted.",SHOULD,Server,,,,
195
+ hl7.fhir.uv.smart-app-launch_2.0.0,168,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"Once an app is authorized, the token response will include any context data the app requested and any (potentially) unsolicited context data the EHR may decide to communicate",SHALL,Server,,,,
196
+ hl7.fhir.uv.smart-app-launch_2.0.0,169,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"Once an app is authorized, the token response will include any … [l]aunch context parameters [and] come alongside the access token… [which SHALL] appear as JSON parameters.",SHALL,Server,,,,
197
+ hl7.fhir.uv.smart-app-launch_2.0.0,170,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"[The] launch context parameter... `patient`... [SHALL contain a s]tring value with a patient id, indicating that the app was launched in the context of FHIR Patient... If the app has any patient-level scopes, they will be scoped to Patient [provided in this parameter].",SHALL,Server,,,,
198
+ hl7.fhir.uv.smart-app-launch_2.0.0,171,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"[The] launch context parameter... `encounter`... [SHALL contain a s]tring value with an encounter id, indicating that the app was launched in the context of FHIR Encounter",SHALL,Server,,,,
199
+ hl7.fhir.uv.smart-app-launch_2.0.0,172,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `fhirContext`... [SHALL contain an a]rray of objects referring to any resource type other than “Patient” or “Encounter”.,SHALL,Server,,,,
200
+ hl7.fhir.uv.smart-app-launch_2.0.0,173,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `need_patient_banner`... [SHALL contain a] boolean value indicating whether the app was launched in a UX context where a patient banner is required (when true) or may not be required (when false). An app receiving a value of false might not need to take up screen real estate displaying a patient banner.,SHALL,Server,,,,
201
+ hl7.fhir.uv.smart-app-launch_2.0.0,174,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `intent`... [SHALL contain a s]tring value describing the intent of the application launch,SHALL,Server,,,,
202
+ hl7.fhir.uv.smart-app-launch_2.0.0,175,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `smart_style_url`... [SHALL contain a s]tring URL where the EHR’s style parameters can be retrieved (for apps that support [styling](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#styling)),SHALL,Server,,,,
203
+ hl7.fhir.uv.smart-app-launch_2.0.0,176,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `tenant`... [SHALL contain a s]tring conveying an opaque identifier for the healthcare organization that is launching the app. This parameter is intended primarily to support EHR Launch scenarios.,SHALL,Server,,,,
204
+ hl7.fhir.uv.smart-app-launch_2.0.0,177,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"{A]ny contextual resource types that were requested by a launch scope will appear in the `fhirContext` array... except ... Patient and Encounter resource types, which will not be deprecated from top-level parameters, and they will not be permitted within the `fhirContex`t array unless they include a `role` other than ""launch"".",DEPRECATED,Server,,,,
205
+ hl7.fhir.uv.smart-app-launch_2.0.0,178,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array SHALL include at least one of `""reference""`, `""canonical""`, or `""identifier""`",DEPRECATED,Server,,,,
206
+ hl7.fhir.uv.smart-app-launch_2.0.0,179,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""reference""` (string) … [which is the] relative reference to a FHIR resource. Note that there MAY be more than one fhirContext item referencing the same type of resource.",DEPRECATED,Server,,,,
207
+ hl7.fhir.uv.smart-app-launch_2.0.0,180,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,Note that there MAY be more than one fhirContext item referencing the same type of resource [using the property `reference`].,DEPRECATED,Server,,,,
208
+ hl7.fhir.uv.smart-app-launch_2.0.0,181,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""canonical""` (string) … [which is the] canonical URL for the `fhirContext` item (MAY include a version suffix)",DEPRECATED,Server,,,,
209
+ hl7.fhir.uv.smart-app-launch_2.0.0,182,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[The `canonical` property in a `fhirContext` array object] MAY include a version suffix),DEPRECATED,Server,,,,
210
+ hl7.fhir.uv.smart-app-launch_2.0.0,183,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""identifier""` (object) … [which is the] FHIR Identifier for the `fhirContext` item",DEPRECATED,Server,,,,
211
+ hl7.fhir.uv.smart-app-launch_2.0.0,184,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""type""` (string) … [which is the] FHIR resource type of the `fhirContext` item (RECOMMENDED when `""identifier""` or `""canonical""` is present)",DEPRECATED,Server,,,,
212
+ hl7.fhir.uv.smart-app-launch_2.0.0,185,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"[The `type` property in a `fhirContext` array object is] RECOMMENDED when `""identifier""` or `""canonical""` is present)",DEPRECATED,Server,,,,
213
+ hl7.fhir.uv.smart-app-launch_2.0.0,186,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""role""` (string) … [which is the] URI identifying the role of this `fhirContext` item.",DEPRECATED,Server,,,,
214
+ hl7.fhir.uv.smart-app-launch_2.0.0,187,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[The `role` property in a `fhirContext` array object may contain r]elative role URIs ... if [they are] defined in this specification; other roles require the use of absolute URIs,DEPRECATED,Server,,,,
215
+ hl7.fhir.uv.smart-app-launch_2.0.0,188,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[O]ther roles [defined outside of this specification] require the use of absolute URIs [when used in the `role` property in a `fhirContext` array object],DEPRECATED,Server,,,,
216
+ hl7.fhir.uv.smart-app-launch_2.0.0,189,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,This [`role`] property MAY be omitted,DEPRECATED,Server,,,,
217
+ hl7.fhir.uv.smart-app-launch_2.0.0,190,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,This [`role`] property... SHALL NOT be the empty string.,DEPRECATED,Server,,,,
218
+ hl7.fhir.uv.smart-app-launch_2.0.0,191,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"The absence of a role property [in a `fhirContext` array object] is semantically equivalent to a role of `""launch""`, indicating to a client [which SHALL interpret it to mean] that the app launch was performed in the context of the referenced resource.",DEPRECATED,Client,,,,
219
+ hl7.fhir.uv.smart-app-launch_2.0.0,192,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,Multiple `fhirContext` items MAY have the same role.,DEPRECATED,Server,,,,
220
+ hl7.fhir.uv.smart-app-launch_2.0.0,193,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-intent,"If a SMART EHR provides a value that the client does not recognize, or does not provide a value, the client app SHOULD display a default application UI context.",SHOULD,Client,,,,
221
+ hl7.fhir.uv.smart-app-launch_2.0.0,194,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#launch-intent,The meaning of intent values must be negotiated between the app and the EHR.,SHALL,Server,,,,
222
+ hl7.fhir.uv.smart-app-launch_2.0.0,195,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,Some apps need to authenticate the end-user. This can be accomplished by requesting the scope `openid`.,MAY,Client,,,,
223
+ hl7.fhir.uv.smart-app-launch_2.0.0,196,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"When the `openid` scope is requested, apps can [(if a FHIR representation of the user is needed, SHALL,)] also request the `fhirUser` scope to obtain a FHIR resource representation of the current user",SHALL,Client,,true,,
224
+ hl7.fhir.uv.smart-app-launch_2.0.0,197,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"If the EHR cannot represent the user with a FHIR resource, it cannot support the `fhirUser` scope.",DEPRECATED,Server,,,,
225
+ hl7.fhir.uv.smart-app-launch_2.0.0,198,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [instance returned from the `fhirUser` URL] will be a resource of type Patient, Practitioner, PractitionerRole, RelatedPerson, or Person",SHALL,Server,,,,
226
+ hl7.fhir.uv.smart-app-launch_2.0.0,199,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Note that [the] `Person` [resource type] is only used if the other resource types do not apply to the current user, for example, the “authorized representative” for >1 patients [would be a Person since RelatedPerson can be associated only with a single Patient].",SHOULD,Server,,,,
227
+ hl7.fhir.uv.smart-app-launch_2.0.0,200,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"When these [identity data] scopes are requested (and the request is granted), the [server SHALL send and the] app will receive an [`id_token`](http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken) that comes alongside the access token.",SHALL,Server,,,,
228
+ hl7.fhir.uv.smart-app-launch_2.0.0,201,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,This token must be [validated according to the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) [by the client app].,SHALL,Client,,,,
229
+ hl7.fhir.uv.smart-app-launch_2.0.0,202,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To learn more about the user, the app should treat the `fhirUser` claim as the URL of a FHIR resource representing the current user [and SHALL perform a FHIR read interaction to get it].",SHALL,Client,,,,
230
+ hl7.fhir.uv.smart-app-launch_2.0.0,203,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [`fhirUser`] URL MAY be absolute (e.g., https://ehr.example.org/Practitioner/123)",MAY,Server,,,,
231
+ hl7.fhir.uv.smart-app-launch_2.0.0,204,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [`fhirUser`] URL ... MAY be relative to the FHIR server base URL associated with the current authorization request (e.g., Practitioner/123)…. Note that the FHIR server base URL is the same as the URL represented in the aud parameter passed in to the authorization request.",MAY,Server,,,,
232
+ hl7.fhir.uv.smart-app-launch_2.0.0,205,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support the Authorization Code Flow, with the request parameters as defined in [SMART App Launch](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html).",SHALL,Server,,,,
233
+ hl7.fhir.uv.smart-app-launch_2.0.0,206,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … Support is not required for [Authorization Code Flow] parameters that OIDC lists as optional (e.g., `id_token_hint`, `acr_value`), but EHRs are encouraged to review these optional parameters.",MAY,Server,,,,
234
+ hl7.fhir.uv.smart-app-launch_2.0.0,207,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, …The EHR SHALL publish public keys as bare JWK keys",SHALL,Server,,,,
235
+ hl7.fhir.uv.smart-app-launch_2.0.0,208,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,[If the EHR publishes public keys as bare JWK keys they] MAY also be accompanied by X.509 representations of those keys,MAY,Server,,,,
236
+ hl7.fhir.uv.smart-app-launch_2.0.0,209,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support the inclusion of SMART’s `fhirUser` claim within the `id_token` issued for any requests that grant the `openid` and `fhirUser` scopes.",SHALL,Server,,,,
237
+ hl7.fhir.uv.smart-app-launch_2.0.0,210,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support Signing ID Tokens with RSA SHA-256",SHALL,Server,,,,
238
+ hl7.fhir.uv.smart-app-launch_2.0.0,211,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … A SMART app SHALL NOT pass the `auth_time` claim or `max_age` parameter to a server that does not support receiving them.",SHALL NOT,Client,,,,
239
+ hl7.fhir.uv.smart-app-launch_2.0.0,212,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including … `claims` parameters on the authorization request",MAY,Server,,,,
240
+ hl7.fhir.uv.smart-app-launch_2.0.0,213,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including] … Request Objects on the authorization request",MAY,Server,,,,
241
+ hl7.fhir.uv.smart-app-launch_2.0.0,214,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including] … UserInfo endpoint with claims exposed to clients",MAY,Server,,,,
242
+ hl7.fhir.uv.smart-app-launch_2.0.0,215,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-a-refresh-token,"To request a `refresh_token` that can be used to obtain a new access token after the current access token expires, add [the] `online_request` [scope that requests a refresh token that] … will be usable for as long as the end-user remains online.",SHALL,Client,,,,
243
+ hl7.fhir.uv.smart-app-launch_2.0.0,216,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#scopes-for-requesting-a-refresh-token,"To request a `refresh_token` that can be used to obtain a new access token after the current access token expires, add [the] `offline_access`[Scope that requests a refresh token] … that will remain usable for as long as the authorization server and end-user will allow, regardless of whether the end-user is online.",SHALL,Client,,,,
244
+ hl7.fhir.uv.smart-app-launch_2.0.0,217,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#extensibility,"additional context parameters and scopes … [defined by the server and] used as extensions … [SHOULD use] the following namespace conventions _use a full URI that you control (e.g., http://example.com/scope-name) [or] _use any string starting with `__` (two underscores)",SHOULD,Server,,,,
245
+ hl7.fhir.uv.smart-app-launch_2.0.0,218,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#steps-for-using-an-id-token,"[to use and ID token, Apps SHALL]
246
+ 1. Examine the ID token for its “issuer” property
247
+ 2.Perform a `GET {issuer}/.well-known/openid-configuration`
248
+ 3.Fetch the server’s JSON Web Key by following the “jwks_uri” property [from the retrieved `openid-configuration`]
249
+ 4. Validate the token’s signature against the public key [retrieved from the ""jwks_uri"" location in the token's `openid-configuration`]
250
+ 5.Extract the fhirUser claim [from the verified token] and treat it as the URL of a FHIR resource",SHALL,Client,,,,
251
+ hl7.fhir.uv.smart-app-launch_2.0.0,219,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#appendix-uri-representation-of-scopes,"When URI representations are required, the SMART scopes SHALL be prefixed with `http://smarthealthit.org/fhir/scopes/`, so that a `patient/*.r` scope would be `http://smarthealthit.org/fhir/scopes/patient/*.r`",SHALL,Client,,,,
252
+ hl7.fhir.uv.smart-app-launch_2.0.0,220,https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html#appendix-uri-representation-of-scopes,"To represent OpenID scopes as URIs, the prefix `http://openid.net/specs/openid-connect-core-1_0#` SHALL be used.",SHALL,Client,,,,
253
+ hl7.fhir.uv.smart-app-launch_2.0.0,221,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#use-this-profile-when-the-following-conditions-apply,[Clients SHALL] use [the Backend Services] profile when... The target FHIR authorization server can register the client and pre-authorize access to a defined set of FHIR resources.,DEPRECATED,Client,,,,
254
+ hl7.fhir.uv.smart-app-launch_2.0.0,222,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#use-this-profile-when-the-following-conditions-apply,"[Clients SHALL] use [the Backend Services] profile when... The client may run autonomously, or with user interaction that does not include access authorization.",DEPRECATED,Client,,,,
255
+ hl7.fhir.uv.smart-app-launch_2.0.0,223,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#use-this-profile-when-the-following-conditions-apply,[Clients SHALL] use [the Backend Services] profile when...The client supports `client-confidential-asymmetric` [authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html),DEPRECATED,Client,,,,
256
+ hl7.fhir.uv.smart-app-launch_2.0.0,224,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#use-this-profile-when-the-following-conditions-apply,[Clients SHALL] use [the Backend Services] profile when... No compelling need exists for a user to authorize the access at runtime.,DEPRECATED,Client,,,,
257
+ hl7.fhir.uv.smart-app-launch_2.0.0,225,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#register-smart-backend-service-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL register with the server by following the [registration steps described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys).",SHALL,Client,,,,
258
+ hl7.fhir.uv.smart-app-launch_2.0.0,226,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#retrieve-well-knownsmart-configuration,"[T]he app [SHALL discover] the EHR FHIR server’s SMART configuration metadata, including OAuth token endpoint URL",SHALL,Client,,,,
259
+ hl7.fhir.uv.smart-app-launch_2.0.0,227,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request,The app [SHALL issue] an HTTP GET with an `Accept` header supporting `application/json` to retrieve the SMART configuration file [from [base]/.well-known/smart-configuration],SHALL,Client,,,,
260
+ hl7.fhir.uv.smart-app-launch_2.0.0,228,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#response,Servers [SHALL] respond [to requests to [base]/.well-known/smart-configuration] with a discovery response that meets [discovery requirements described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#discovery-requirements). [from [base]/.well-known/smart-configuration],SHALL,Server,,,,
261
+ hl7.fhir.uv.smart-app-launch_2.0.0,229,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#obtain-acess-token,Use of the client credentials grant type requires that the client SHALL be a “confidential” client capable of protecting its authentication credential.,SHALL,Client,,,,
262
+ hl7.fhir.uv.smart-app-launch_2.0.0,230,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,"To begin the exchange, the client SHALL use the [Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)](https://tools.ietf.org/html/rfc5246) or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the FHIR authorization server’s token endpoint.",SHALL,Client,,,,
263
+ hl7.fhir.uv.smart-app-launch_2.0.0,231,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,All exchanges described herein between the client and the FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS .,SHALL,Server,,,,
264
+ hl7.fhir.uv.smart-app-launch_2.0.0,232,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,All exchanges described herein between the client and the FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS .,SHALL,Client,,,,
265
+ hl7.fhir.uv.smart-app-launch_2.0.0,233,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,"Before a client can request an access token, it [SHALL] generates a one-time-use authentication JWT [as described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint)",SHALL,Client,,,,
266
+ hl7.fhir.uv.smart-app-launch_2.0.0,234,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,"After generating this authentication JWT, the client requests an access token via HTTP `POST` to the FHIR authorization server’s token endpoint URL, using content-type `application/x-www-form-urlencoded`",SHALL,Client,,,,
267
+ hl7.fhir.uv.smart-app-launch_2.0.0,235,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,[When requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `scope` [parameter is] `required` [and SHALL contain] … the scope of access requested ... following the [SMART Scopes syntax](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html),SHALL,Client,,,,
268
+ hl7.fhir.uv.smart-app-launch_2.0.0,236,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `grant_type` [parameter is] `required` [and SHALL contain the] … Fixed value: `client_credentials`,SHALL,Client,,,,
269
+ hl7.fhir.uv.smart-app-launch_2.0.0,237,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `client_assertion_type` [parameter is] `required` [and SHALL contain] … Fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,
270
+ hl7.fhir.uv.smart-app-launch_2.0.0,238,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `client_assertion` [parameter is] `required` [and SHALL contain] … [the s]igned authentication JWT value,SHALL,Client,,,,
271
+ hl7.fhir.uv.smart-app-launch_2.0.0,239,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#scopes,"For Backend Services, requested scopes will be `system/` scopes",SHOULD,Client,,,,
272
+ hl7.fhir.uv.smart-app-launch_2.0.0,240,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#scopes,"The client is pre-authorized by the server: at registration time or out of band, it is given the authority to access certain data.",SHALL,Server,,,,
273
+ hl7.fhir.uv.smart-app-launch_2.0.0,241,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#scopes,"The client then includes a set of scopes in the access token request [`scope` parameter], which the server … [SHALL] apply [as] additional access restrictions following the [SMART Scopes syntax](https://hl7.org/fhir/smart-app-launch/STU2/scopes-and-launch-context.html).",SHALL,Server,,,,
274
+ hl7.fhir.uv.smart-app-launch_2.0.0,242,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#scopes,"The use of Backend Services with user/ and patient/ scopes is not prohibited, but would require out-of-band coordination to establish context (e.g., to establish which user or patient applies).",MAY,Client,,,,
275
+ hl7.fhir.uv.smart-app-launch_2.0.0,243,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that it is not authorized to see (e.g., a client asks for Observation resources but has scopes that only permit access to Patient resources) …a server SHOULD respond with a failure to the initial request.",SHOULD,Server,,,,
276
+ hl7.fhir.uv.smart-app-launch_2.0.0,244,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that the server does not support (e.g., a client asks for Practitioner resources but the server does not support FHIR access to Practitioner data) ... a server SHOULD respond with a failure to the initial request.",SHOULD,Server,,,,
277
+ hl7.fhir.uv.smart-app-launch_2.0.0,245,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that the server supports and that appears consistent with its access scopes – but some additional out-of-band rules/policies/restrictions prevents the client from being authorized to see these data... the server MAY withhold certain results from the response, and MAY indicate to the client that results were withheld by including OperationOutcome information in the “error” array for the response as a partial success.",MAY,Server,,,,
278
+ hl7.fhir.uv.smart-app-launch_2.0.0,246,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#enforce-authorization,"[When a server does not return data that the clien's scopes indicate it has access to, it] MAY indicate to the client that results were withheld by including OperationOutcome information in the “error” array for the response as a partial success.",MAY,Server,,,,
279
+ hl7.fhir.uv.smart-app-launch_2.0.0,247,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#enforce-authorization,"Rules regarding circumstances under which a client is required to obtain and present an access token along with a request are based on risk-management decisions that each FHIR resource service needs to [(SHALL)] make, considering the workflows involved, perceived risks, and the organization’s risk-management policies.",SHALL,Server,,,,
280
+ hl7.fhir.uv.smart-app-launch_2.0.0,248,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#enforce-authorization,Refresh tokens SHOULD NOT be issued.,SHOULD NOT,Server,,,,
281
+ hl7.fhir.uv.smart-app-launch_2.0.0,249,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#validate-authentication-jws,The FHIR authorization server [SHALL validate] a client’s authentication JWT according to the client-confidential-asymmetric authentication profile … [per the] [JWT validation rules](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification).,SHALL,Server,,,,
282
+ hl7.fhir.uv.smart-app-launch_2.0.0,250,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#evaluate-requested-access,"Once the client has been authenticated, the FHIR authorization server SHALL mediate the request to assure that the scope requested is within the scope pre-authorized to the client.",SHALL,Server,,,,
283
+ hl7.fhir.uv.smart-app-launch_2.0.0,251,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,"If an error is encountered during the authorization process, the FHIR authorization server SHALL respond with the appropriate error message defined in [Section 5.2 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#page-45)",SHALL,Server,,,,
284
+ hl7.fhir.uv.smart-app-launch_2.0.0,252,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,If an error is encountered during the authorization process... [t]he FHIR authorization server SHOULD include an `error_uri` or `error_description` as defined in OAuth 2.0.,SHOULD,Server,,,,
285
+ hl7.fhir.uv.smart-app-launch_2.0.0,253,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,"If the access token request is valid and authorized, the FHIR authorization server SHALL issue an access token in response.",SHALL,Server,,,,
286
+ hl7.fhir.uv.smart-app-launch_2.0.0,254,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,[When responding with an access token t]he `access_token` [parameter is] `required` [and] SHALL [contain] The access token issued by the FHIR authorization server.,SHALL,Server,,,,
287
+ hl7.fhir.uv.smart-app-launch_2.0.0,255,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,[When responding with an access token t]he `token_type` [parameter is] `required` [and] SHALL [contain] Fixed value: bearer.,SHALL,Server,,,,
288
+ hl7.fhir.uv.smart-app-launch_2.0.0,256,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,[When responding with an access token t]he `expires_in` [parameter is] `required` [and] SHALL [contain] The lifetime in seconds of the access token.,SHALL,Server,,,,
289
+ hl7.fhir.uv.smart-app-launch_2.0.0,257,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,"[When responding with an access token t]he recommended value [for the `expires_in` parameter] is 300, for a five-minute token lifetime.",SHOULD,Server,,,,
290
+ hl7.fhir.uv.smart-app-launch_2.0.0,258,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,[When responding with an access token t]he `scope` [parameter is] `required` [and] SHALL [contain s]cope of access authorized.,SHALL,Server,,,,
291
+ hl7.fhir.uv.smart-app-launch_2.0.0,259,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,[When responding with an access token t]he `scope` [parameter value] can be different from the scopes requested by the app.,SHALL,Server,,,,
292
+ hl7.fhir.uv.smart-app-launch_2.0.0,260,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,"to minimize risks associated with token redirection, the scope of each access token SHOULD encompass, and be limited to, the resources requested",SHOULD,Server,,,,
293
+ hl7.fhir.uv.smart-app-launch_2.0.0,261,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,[When responding with an access token a]ccess tokens issued under this [backed services] profile SHALL be short-lived,SHALL,Server,,,,
294
+ hl7.fhir.uv.smart-app-launch_2.0.0,262,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#issue-access-token,"[When responding with an access token t]he `expires_in` value SHOULD NOT exceed 300, which represents an expiration-time of five minutes.",SHOULD NOT,Server,,,,
295
+ hl7.fhir.uv.smart-app-launch_2.0.0,263,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"To establish longer-term access [using backend services given the short-lived duration of access tokens], clients can request new access tokens as needed.",DEPRECATED,Client,,,,
296
+ hl7.fhir.uv.smart-app-launch_2.0.0,264,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#request-2,The app [SHALL issue] a request [for FHIR data[ that includes an Authorization header that presents the access_token as a “Bearer” token: `Authorization: Bearer {{access_token}}`,SHALL,Client,,,,
297
+ hl7.fhir.uv.smart-app-launch_2.0.0,265,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#response-2,The resource server SHALL validate the access token and ensure that it has not expired,SHALL,Server,,,,
298
+ hl7.fhir.uv.smart-app-launch_2.0.0,266,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#response-2,The resource server SHALL validate the access token and ensure … that its scope covers the requested resource,SHALL,Server,,,,
299
+ hl7.fhir.uv.smart-app-launch_2.0.0,267,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#response-2,"On occasion, a Backend Service [client] may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server. The Backend Service [client] SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft",SHOULD NOT,Client,,,,
300
+ hl7.fhir.uv.smart-app-launch_2.0.0,268,https://hl7.org/fhir/smart-app-launch/STU2/backend-services.html#response-2,"On occasion, a Backend Service may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server… The Backend Service [client] SHOULD either ignore the reference, or initiate a new request for access to that resource.",SHOULD,Client,,,,
301
+ hl7.fhir.uv.smart-app-launch_2.0.0,269,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,"SMART on FHIR EHRs SHOULD support Token Introspection, which allows a broader ecosystem of resource servers to leverage authorization decisions managed by a single authorization server.",SHOULD,Server,,,,
302
+ hl7.fhir.uv.smart-app-launch_2.0.0,270,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,Token Introspection is conducted [and clients SHALL make requests] according to [RFC 7662: OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662),SHALL,Client,,,,
303
+ hl7.fhir.uv.smart-app-launch_2.0.0,271,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,Token Introspection is conducted [and servers SHALL respond] according to [RFC 7662: OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662),SHALL,Server,,,,
304
+ hl7.fhir.uv.smart-app-launch_2.0.0,272,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,"In the introspection response… the `active` field [is] required by RFC7662 (a boolean indicating whether the access token is active),",SHALL,Server,,,,
305
+ hl7.fhir.uv.smart-app-launch_2.0.0,273,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the `scope` [field a]s included in the original access token response,SHALL,Server,,,,
306
+ hl7.fhir.uv.smart-app-launch_2.0.0,274,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the `client_id`[field a]s included in the original access token response,SHALL,Server,,,,
307
+ hl7.fhir.uv.smart-app-launch_2.0.0,275,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the... `exp`[field] … [will be t]he integer timestamp indicates when the access token expires.,SHALL,Server,,,,
308
+ hl7.fhir.uv.smart-app-launch_2.0.0,276,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the... `exp`[field] … will be consistent the with `expires_in` interval provided in the original access token response.,SHALL,Server,,,,
309
+ hl7.fhir.uv.smart-app-launch_2.0.0,277,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If a launch context parameter defined in [Scopes and Launch Context](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html) (e.g., `patient` or `intent`) was included in the original access token response, the parameter SHALL be included in the token introspection response.",SHALL,Server,,,,
310
+ hl7.fhir.uv.smart-app-launch_2.0.0,278,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the … [`iss`] claims from the ID Token SHALL be included in the Token Introspection response",SHALL,Server,,,,
311
+ hl7.fhir.uv.smart-app-launch_2.0.0,279,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the … [`sub`] claims from the ID Token SHALL be included in the Token Introspection response",SHALL,Server,,,,
312
+ hl7.fhir.uv.smart-app-launch_2.0.0,280,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the [`fhirsuer`]... claims from the ID Token SHOULD be included in the Token Introspection response",SHOULD,Server,,,,
313
+ hl7.fhir.uv.smart-app-launch_2.0.0,281,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,SMART on FHIR EHRs MAY implement access control protecting the Token Introspection endpoint.,MAY,Server,,,,
314
+ hl7.fhir.uv.smart-app-launch_2.0.0,282,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,"If access control is implemented [on the token introspection endpoint], any client authorized to issue Token Introspection API calls SHALL be permitted to authenticate to the Token Introspection endpoint by providing an appropriately-scoped SMART App or SMART Backend Service bearer token in the Authorization header.",SHALL,Server,,,,
315
+ hl7.fhir.uv.smart-app-launch_2.0.0,283,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,Clients authorized in this way [to acess an access-controlled token introspection endpoint] are [(SHALL be)] able to introspect tokens issued to any client,SHALL,Server,,,,
316
+ hl7.fhir.uv.smart-app-launch_2.0.0,284,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#use-this-profile-when-the-following-conditions-apply,"[Clients SHALL] Use [the Asymmetric porfile] when… The target FHIR authorization server supports SMART’s `client-confidential-asymmetric` capability, The client can manage asymmetric keys for authentication, [and] the client is able to protect a private key",DEPRECATED,Client,,,,
317
+ hl7.fhir.uv.smart-app-launch_2.0.0,285,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,[A] server [SHALL advertise] its support for SMART Confidential Clients with Asymmetric Keys by including the `client-confidential-asymmetric` capability at is `.well-known/smart-configuration` endpoint;,SHALL,Server,,,,
318
+ hl7.fhir.uv.smart-app-launch_2.0.0,286,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `token_endpoint`,",SHALL,Server,,,,
319
+ hl7.fhir.uv.smart-app-launch_2.0.0,287,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `scopes_supported`,",SHALL,Server,,,,
320
+ hl7.fhir.uv.smart-app-launch_2.0.0,288,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ...`token_endpoint_auth_methods_supported` (with values that include `private_key_jwt`),SHALL,Server,,,,
321
+ hl7.fhir.uv.smart-app-launch_2.0.0,289,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `token_endpoint_auth_signing_alg_values_supported` (with values that include at least one of `RS384`, `ES384`).",SHALL,Server,,,,
322
+ hl7.fhir.uv.smart-app-launch_2.0.0,290,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL generate or obtain an asymmetric key pair",SHALL,Client,,,,
323
+ hl7.fhir.uv.smart-app-launch_2.0.0,291,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL ... register its public key set with that FHIR server’s authorization service (referred to below as the “FHIR authorization server”).",SHALL,Client,,,,
324
+ hl7.fhir.uv.smart-app-launch_2.0.0,292,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"SMART does not require a standards-based registration process, but we encourage FHIR service implementers to consider using the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg)",SHOULD,Client,,,,
325
+ hl7.fhir.uv.smart-app-launch_2.0.0,293,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[Before using the `client-confidential-asymmetric`capability t]he client SHALL register the **public key** that the client will use to authenticate itself to the FHIR authorization server.,SHALL,Client,,,,
326
+ hl7.fhir.uv.smart-app-launch_2.0.0,294,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering a public key for the `client-confidential-asymmetric`capability t]he public key SHALL be conveyed to the FHIR authorization server in a [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) structure presented within a JWK Set, as defined in JSON Web Key Set (JWKS).",SHALL,Client,,,,
327
+ hl7.fhir.uv.smart-app-launch_2.0.0,295,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL protect the associated private key [for the `client-confidential-asymmetric`capability] from unauthorized disclosure and corruption.,SHALL,Client,,,,
328
+ hl7.fhir.uv.smart-app-launch_2.0.0,296,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[When registering clients to use the `client-confidential-asymmetric`capability] FHIR authorization servers SHALL support registration of client JWKs using … URL to JWK set,SHALL,Server,,,,
329
+ hl7.fhir.uv.smart-app-launch_2.0.0,297,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[When registering clients to use the `client-confidential-asymmetric`capability] FHIR authorization servers SHALL support registration of client JWKs using ... JWK Set directly,SHALL,Server,,,,
330
+ hl7.fhir.uv.smart-app-launch_2.0.0,298,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,clients SHALL choose a server-supported method [for communicating their JWKs] at registration time,SHALL,Client,,,,
331
+ hl7.fhir.uv.smart-app-launch_2.0.0,299,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering their JWKs to a server for use in the `client-confidential-asymmetric`capability`, clients SHOULD send a] URL to JWK Set (strongly preferred).",SHOULD,Client,,,,
332
+ hl7.fhir.uv.smart-app-launch_2.0.0,300,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering their JWKs to a server for use in the `client-confidential-asymmetric`capability`, clients MAY send the] JWK Set directly (strongly discouraged)",MAY,Client,,,,
333
+ hl7.fhir.uv.smart-app-launch_2.0.0,301,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[For the URL to JWK Set method, the value SHALL be] the TLS-protected endpoint where the client’s public JWK Set can be found",SHALL,Client,,,,
334
+ hl7.fhir.uv.smart-app-launch_2.0.0,302,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[For the URL to JWK Set method to register a JWK for use in the `client-confidential-asymmetric`capability`, the value] ... SHALL be accessible via TLS without client authentication or authorization",SHALL,Client,,,,
335
+ hl7.fhir.uv.smart-app-launch_2.0.0,303,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[For the URL to JWK Set method to register a JWK for use in the `client-confidential-asymmetric`capability` t]he client SHOULD return a “Cache-Control” header in its JWKS response,SHOULD,Client,,,,
336
+ hl7.fhir.uv.smart-app-launch_2.0.0,304,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"If a client cannot host the JWK Set at a TLS-protected URL [when registering a JWK for use in the `client-confidential-asymmetric`capability,] it MAY supply the JWK Set directly to the FHIR authorization server at registration time",MAY,Client,,,,
337
+ hl7.fhir.uv.smart-app-launch_2.0.0,305,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[if Client supplies JWK set directly to the FHIR authorization server during registration for the `client-confidential-asymmetric`capability,] the FHIR authorization server SHALL protect the JWK Set from corruption.",SHALL,Server,,,,
338
+ hl7.fhir.uv.smart-app-launch_2.0.0,306,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[if Client supplies JWK set directly to the FHIR authorization server during registration fro the `client-confidential-asymmetric`capability,] the FHIR authorization server ... SHOULD remind the client to send an update whenever the key set changes.",SHOULD,Server,,,,
339
+ hl7.fhir.uv.smart-app-launch_2.0.0,307,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL be capable of generating a JSON Web Signature in accordance with [RFC7515](https://tools.ietf.org/html/rfc7515).,SHALL,Client,,,,
340
+ hl7.fhir.uv.smart-app-launch_2.0.0,308,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL support ... `RS384` … for the JSON Web Algorithm (JWA) header parameter as defined in [RFC7518](https://tools.ietf.org/html/rfc7518).,SHALL,Client,,,,
341
+ hl7.fhir.uv.smart-app-launch_2.0.0,309,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL support ... `ES384` for the JSON Web Algorithm (JWA) header parameter as defined in [RFC7518](https://tools.ietf.org/html/rfc7518).,SHALL,Client,,,,
342
+ hl7.fhir.uv.smart-app-launch_2.0.0,310,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The FHIR authorization server SHALL be capable of validating signatures with at least one of `RS384` or `ES384`.,SHALL,Server,,,,
343
+ hl7.fhir.uv.smart-app-launch_2.0.0,311,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,servers MAY support … additional algorithms for signature validation [when using the `client-confidential-asymmetric`capability].,MAY,Server,,,,
344
+ hl7.fhir.uv.smart-app-launch_2.0.0,312,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,clients ... MAY … use additional algorithms for signature validation [when using the `client-confidential-asymmetric`capability].,MAY,Client,,,,
345
+ hl7.fhir.uv.smart-app-launch_2.0.0,313,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"No matter how a JWK Set is communicated to the FHIR authorization server, each JWK SHALL represent an asymmetric key by including `kty` and `kid` properties, with content conveyed using “bare key” properties (i.e., direct base64 encoding of key material as integer values)",SHALL,Client,,,,
346
+ hl7.fhir.uv.smart-app-launch_2.0.0,314,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"For RSA public keys, each JWK SHALL include `n` and `e` values (modulus and exponent)",SHALL,Client,,,,
347
+ hl7.fhir.uv.smart-app-launch_2.0.0,315,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"For ECDSA public keys, each JWK SHALL include `crv`, `x`, and `y` values (curve, x-coordinate, and y-coordinate, for EC keys)",SHALL,Client,,,,
348
+ hl7.fhir.uv.smart-app-launch_2.0.0,316,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Upon registration, the client SHALL be assigned a `client_id`",SHALL,Server,,,,
349
+ hl7.fhir.uv.smart-app-launch_2.0.0,317,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[T]he client SHALL use [their assigned `client_id`] when requesting an access token.,SHALL,Client,,,,
350
+ hl7.fhir.uv.smart-app-launch_2.0.0,318,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint,"the client SHALL use the [Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)](https://tools.ietf.org/html/rfc5246) or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the FHIR authorization server’s token endpoint.",SHALL,Client,,,,
351
+ hl7.fhir.uv.smart-app-launch_2.0.0,319,https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#request,"Before a client can request an access token, it SHALL generate a one-time-use JSON Web Token (JWT) that will be used to authenticate the client to the FHIR authorization server.",SHALL,Client,,,,
352
+ hl7.fhir.uv.smart-app-launch_2.0.0,320,https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#request,The authentication JWT … SHALL be signed with the client’s private key (which SHOULD be an `RS384` or `ES384` signature).,SHALL,Client,,,,
353
+ hl7.fhir.uv.smart-app-launch_2.0.0,321,https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`alg`[Authentication JWT header value is] `required` [and SHALL contain t]he JWA algorithm (e.g., RS384, ES384) used for signing the authentication JWT.",SHALL,Client,,,,
354
+ hl7.fhir.uv.smart-app-launch_2.0.0,322,https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`kid`[Authentication JWT header value is] `required` [and SHALL contain t]he identifier of the key-pair used to sign this JWT [which] SHALL be unique within the client's JWK Set.,SHALL,Client,,,,
355
+ hl7.fhir.uv.smart-app-launch_2.0.0,323,https://hl7.org/fhir/smart-app-launch/STU2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`typ`[header value is] `required`[with] Fixed value: JWT.,SHALL,Client,,,,
356
+ hl7.fhir.uv.smart-app-launch_2.0.0,324,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`jku`[header value is] `optional` [and contains t]he TLS-protected URL to the JWK Set that contains the public key(s) accessible without authentication or authorization.,MAY,Client,,,,
357
+ hl7.fhir.uv.smart-app-launch_2.0.0,325,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"When [the `jku` Authentication JWT header value is] present, this SHALL match the JWKS URL value that the client supplied to the FHIR authorization server at client registration time.",SHALL,Client,,,,
358
+ hl7.fhir.uv.smart-app-launch_2.0.0,326,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"When [the `jku` Authentication JWT header value is] absent, the FHIR authorization server SHOULD fall back on the JWK Set URL or the JWK Set supplied at registration time.",SHOULD,Server,,,,
359
+ hl7.fhir.uv.smart-app-launch_2.0.0,327,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`iss`[claim is] `required`… [and] SHALL [contain the] Issuer of the JWT --the client's `client_id`, as determined during registration with the FHIR authorization server",SHALL,Client,,,,
360
+ hl7.fhir.uv.smart-app-launch_2.0.0,328,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`sub`[claim is] `required`… [and] SHALL [contain] The client's `client_id`, as determined during registration with the FHIR authorization server (note that this is the same as the value for the iss claim)",SHALL,Client,,,,
361
+ hl7.fhir.uv.smart-app-launch_2.0.0,329,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`aud`[claim is] `required`… [and] SHALL [contain] The FHIR authorization server's ""token URL"" (the same URL to which this authentication JWT will be posted)",SHALL,Client,,,,
362
+ hl7.fhir.uv.smart-app-launch_2.0.0,330,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`exp`[claim is] `required`… [and] SHALL [contain the] Expiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC). This time S",SHALL,Client,,,,
363
+ hl7.fhir.uv.smart-app-launch_2.0.0,331,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`exp`[claim] ... SHALL be no more than five minutes in the future.,SHALL,Client,,,,
364
+ hl7.fhir.uv.smart-app-launch_2.0.0,332,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`jti`[claim is] `required`… [and] SHALL [contain a] nonce string value that uniquely identifies this authentication JWT,SHALL,Client,,,,
365
+ hl7.fhir.uv.smart-app-launch_2.0.0,333,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When the client requests an access token] … [the]`client_assertion_type`[parameter is] `required`… [and] SHALL [contain the] Fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,
366
+ hl7.fhir.uv.smart-app-launch_2.0.0,334,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When the client requests an access token] … [the]`client_assertion`[parameter is] `required`… [and] SHALL [contain the] Signed authentication JWT value,SHALL,Client,,,,
367
+ hl7.fhir.uv.smart-app-launch_2.0.0,335,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,The FHIR authorization server SHALL validate the JWT according to the processing requirements defined in [Section 3 of RFC7523](https://tools.ietf.org/html/rfc7523#section-3) including validation of the signature on the JWT,SHALL,Server,,,,
368
+ hl7.fhir.uv.smart-app-launch_2.0.0,336,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,"The FHIR authorization server SHALL … check that the `jti` value has not been previously encountered for the given `iss` within the maximum allowed authentication JWT lifetime (e.g., 5 minutes). This check prevents replay attacks.",SHALL,Server,,,,
369
+ hl7.fhir.uv.smart-app-launch_2.0.0,337,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,The FHIR authorization server SHALL … ensure that the `client_id` provided is known and matches the JWT’s `iss` claim.,SHALL,Server,,,,
370
+ hl7.fhir.uv.smart-app-launch_2.0.0,338,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,"To resolve a key to verify signatures, a FHIR authorization server SHALL follow this algorithm:
371
+
372
+ 1. If the `jku` header is present, verify that the jku is whitelisted (i.e., that it matches the JWKS URL value supplied at registration time for the specified `client_id`).
373
+
374
+ a. If the jku header is not whitelisted, the signature verification fails.
375
+ b. If the jku header is whitelisted, create a set of potential keys by dereferencing the jku URL. Proceed to step 3.
376
+
377
+ 2. If the `jku` header is absent, create a set of potential key sources consisting of all keys found in the registration-time JWKS or found by dereferencing the registration-time JWK Set URL. Proceed to step 3.
378
+
379
+ 3. Identify a set of candidate keys by filtering the potential keys to identify the single key where the `kid` matches the value supplied in the client's JWT header, and the kty is consistent with the signature algorithm supplied in the client's JWT header (e.g., `RSA` for a JWT using an RSA-based signature, or `EC` for a JWT using an EC-based signature). If no keys match, or more than one key matches, the verification fails.
380
+
381
+ 4. Attempt to verify the JWK using the key identified in step 3.",SHALL,Server,,,,
382
+ hl7.fhir.uv.smart-app-launch_2.0.0,339,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,To retrieve the keys from a JWKS URL ... a FHIR authorization server [SHALL issue] a HTTP GET request for that URL to obtain a JWKS response.,SHALL,Server,,,,
383
+ hl7.fhir.uv.smart-app-launch_2.0.0,340,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,"If an error is encountered during the authentication process, the server SHALL respond with an `invalid_client error` as defined by the [OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#section-5.2).",SHALL,Server,,,,
384
+ hl7.fhir.uv.smart-app-launch_2.0.0,341,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,The FHIR authorization server SHALL NOT cache a JWKS for longer than the client’s cache-control header indicates.,SHALL NOT,Server,,,,
385
+ hl7.fhir.uv.smart-app-launch_2.0.0,342,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,The FHIR authorization server SHOULD cache a client’s JWK Set according to the client’s cache-control header; it doesn’t need to retrieve it anew every time.,SHALL NOT,Server,,,,
386
+ hl7.fhir.uv.smart-app-launch_2.0.0,343,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#profile-audience-and-scope,SMART App Launch clients that can maintain a secret but cannot manage asymmetric keypairs [may use the] … SMART’s `client-confidential-symmetric` authentication mechanism. This profile is not intended for SMART Backend Services clients.,MAY,Client,,,,
387
+ hl7.fhir.uv.smart-app-launch_2.0.0,344,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#profile-audience-and-scope,This [ `client-confidential-symmetric`] profile is not intended for [severs to use with] SMART Backend Services clients.,SHALL NOT,Server,,,,
388
+ hl7.fhir.uv.smart-app-launch_2.0.0,345,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#authentication-using-a-client_secret,"If a client has registered for Client Password authentication (i.e., it possesses a client_secret that is also known to the EHR), the client authenticates by supplying an Authorization header with HTTP Basic authentication, where the username is the app’s client_id and the password is the app’s client_secret.",SHALL,Client,,,,
389
+ hl7.fhir.uv.smart-app-launch_2.0.0,346,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capability-sets,A SMART on FHIR server SHOULD support one or more Capability Sets.,SHOULD,Server,,,,
390
+ hl7.fhir.uv.smart-app-launch_2.0.0,347,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capability-sets,"External implementation guides MAY define additional capabilities to be discovered through this same mechanism. IGs published by HL7 MAY use simple strings to represent additional capabilities (e.g., example-new-capability); IGs published by other organizations SHALL use full URIs to represent additional capabilities (e.g., http://sdo.example.org/example-new-capability).",DEPRECATED,,,,,
391
+ hl7.fhir.uv.smart-app-launch_2.0.0,348,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Patient Access for Standalone Apps [Capability Set, a server SHALL support the following capabilities:]
392
+ 1. `launch-standalone`
393
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
394
+ 3. `context-standalone-patient`
395
+ 4. `permission-patient `",SHALL,Server,,,,
396
+ hl7.fhir.uv.smart-app-launch_2.0.0,349,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Patient Access for EHR Launch (i.e. from Portal) [Capability Set, a server SHALL support the following capabilities:]
397
+ 1.` launch-ehr`
398
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
399
+ 3.`context-ehr-patient`
400
+ 4. `permission-patient`",SHALL,Server,,,,
401
+ hl7.fhir.uv.smart-app-launch_2.0.0,350,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Clinician Access for Standalone [Capability Set, a server SHALL support the following capabilities:]
402
+ 1. `launch-standalone`
403
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
404
+ 3. `permission-user`
405
+ 4. `permission-patient `",SHALL,Server,,,,
406
+ hl7.fhir.uv.smart-app-launch_2.0.0,351,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Clinician Access for EHR Launch [Capability Set, a server SHALL support the following capabilities:]
407
+ 1. `launch-ehr`
408
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
409
+ 3. `context-ehr-patient` support
410
+ 4. `context-ehr-encounter` support
411
+ 5. `permission-user
412
+ 6. `permission-patient `",SHALL,Server,,,,
413
+ hl7.fhir.uv.smart-app-launch_2.0.0,352,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `launch-ehr` [capability SHALL provide] support for SMART’s EHR Launch mode.,SHALL,Server,,,,
414
+ hl7.fhir.uv.smart-app-launch_2.0.0,353,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `launch-standalone` [capability SHALL provide] support for SMART’s Standalone Launch mode,SHALL,Server,,,,
415
+ hl7.fhir.uv.smart-app-launch_2.0.0,354,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `authorize-post` [capability SHALL provide] support for POST-based authorization,SHALL,Server,,,,
416
+ hl7.fhir.uv.smart-app-launch_2.0.0,355,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-public` [capability SHALL provide] support for SMART’s public client profile (no client authentication).,SHALL,Server,,,,
417
+ hl7.fhir.uv.smart-app-launch_2.0.0,356,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-confidential-symmetric` [capability SHALL provide] support for SMART’s symmetric confidential client profile (“client secret” authentication). See [Client Authentication: Symmetric](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html),SHALL,Server,,,,
418
+ hl7.fhir.uv.smart-app-launch_2.0.0,357,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-confidential-asymmetric` [capability SHALL provide] support for SMART’s asymmetric confidential client profile (“JWT authentication”). See [Client Authentication: Asymmetric](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).,SHALL,Server,,,,
419
+ hl7.fhir.uv.smart-app-launch_2.0.0,358,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `sso-openid-connect` [capability SHALL provide] support for SMART’s OpenID Connect profile,SHALL,Server,,,,
420
+ hl7.fhir.uv.smart-app-launch_2.0.0,359,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `context-banner` [capability SHALL provide] support for “need patient banner” launch context (conveyed via need_patient_banner token parameter).,SHALL,Server,,,,
421
+ hl7.fhir.uv.smart-app-launch_2.0.0,360,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `context-style` [capability SHALL provide] support for `SMART style URL` launch context (conveyed via smart_style_url token parameter). This capability is deemed experimental.,SHALL,Server,,,,
422
+ hl7.fhir.uv.smart-app-launch_2.0.0,361,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-ehr-patient` [capability SHALL provide] support for patient-level launch context (requested by `launch/patient` scope, conveyed via patient token parameter)",SHALL,Server,,,,
423
+ hl7.fhir.uv.smart-app-launch_2.0.0,362,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-ehr-encounter` [capability SHALL provide] support for encounter-level launch context (requested by `launch/encounter` scope, conveyed via `encounter` token parameter)",SHALL,Server,,,,
424
+ hl7.fhir.uv.smart-app-launch_2.0.0,363,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-standalone-patient` [capability SHALL provide] support for patient-level launch context (requested by `launch/patient` scope, conveyed via` patient` token parameter)",SHALL,Server,,,,
425
+ hl7.fhir.uv.smart-app-launch_2.0.0,364,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-standalone-encounter` [capability SHALL provide] support for encounter-level launch context (requested by `launch/encounter` scope, conveyed via `encounter` token parameter)",SHALL,Server,,,,
426
+ hl7.fhir.uv.smart-app-launch_2.0.0,365,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `permission-offline` [capability SHALL provide] support for “offline” refresh tokens (requested by `offline_access` scope),SHALL,Server,,,,
427
+ hl7.fhir.uv.smart-app-launch_2.0.0,366,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-online` [capability SHALL provide] support for “online” refresh tokens requested during EHR Launch (requested by `online_access` scope). This capability is deemed experimental, providing the input to a scope negotiation that could result in granting an online or offline refresh token (see [Scopes and Launch Context](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html)).",SHALL,Server,,,,
428
+ hl7.fhir.uv.smart-app-launch_2.0.0,367,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-patient` [capability SHALL provide] support for patient-level scopes (e.g., `patient/Observation.rs`)",SHALL,Server,,,,
429
+ hl7.fhir.uv.smart-app-launch_2.0.0,368,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-user` [capability SHALL provide] support for user-level scopes (e.g., `user/Appointment.rs`)",SHALL,Server,,,,
430
+ hl7.fhir.uv.smart-app-launch_2.0.0,369,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-v1` [capability SHALL provide] support for SMARTv1 scope syntax (e.g., patient/Observation.read)",SHALL,Server,,,,
431
+ hl7.fhir.uv.smart-app-launch_2.0.0,370,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-v2` [capability SHALL provide] support for SMARTv2 granular scope syntax (e.g., `patient/Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`)",SHALL,Server,,,,
432
+ hl7.fhir.uv.smart-app-launch_2.0.0,371,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `smart-app-state` [capability SHALL provide] support for managing [SMART App State](https://hl7.org/fhir/smart-app-launch/STU2.2/app-state.html).,DEPRECATED,Server,,,,
433
+ hl7.fhir.uv.smart-app-launch_2.0.0,372,https://hl7.org/fhir/smart-app-launch/STU2/conformance.html#using-well-known,FHIR endpoints requiring authorization SHALL serve a JSON document at the location formed by appending `/.well-known/smart-configuration` to their base URL.,SHALL,Server,,,,
434
+ hl7.fhir.uv.smart-app-launch_2.0.0,373,https://hl7.org/fhir/smart-app-launch/STU2/conformance.html#using-well-known,"Contrary to RFC5785 Appendix B.4, the `.well-known` path component may be appended even if the FHIR endpoint already contains a path component",SHALL,Server,,,,
435
+ hl7.fhir.uv.smart-app-launch_2.0.0,374,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"Responses for `/.well-known/smart-configuration` requests SHALL be JSON, regardless of `Accept` headers provided in the request.",SHALL,Server,,,,
436
+ hl7.fhir.uv.smart-app-launch_2.0.0,375,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[C]lients MAY omit an `Accept` header [when requesting the `/.well-known/smart-configuration`],MAY,Client,,,,
437
+ hl7.fhir.uv.smart-app-launch_2.0.0,376,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] servers MAY ignore any client-supplied Accept headers,MAY,Server,,,,
438
+ hl7.fhir.uv.smart-app-launch_2.0.0,377,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] servers SHALL respond with application/json,SHALL,Server,,,,
439
+ hl7.fhir.uv.smart-app-launch_2.0.0,378,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] All endpoint URLs in the response document SHALL be absolute URLs.,DEPRECATED,Server,,,,
440
+ hl7.fhir.uv.smart-app-launch_2.0.0,379,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"Clients encountering relative endpoint URLs (e.g., in the context of legacy or non-conformant servers) SHOULD evaluate them relative to the FHIR Server Base URL following [RFC1808](https://datatracker.ietf.org/doc/html/rfc1808#section-4).",DEPRECATED,Client,,,,
441
+ hl7.fhir.uv.smart-app-launch_2.0.0,380,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#response,A JSON document must be returned using the `application/json`mime type.,SHALL,Server,,,,
442
+ hl7.fhir.uv.smart-app-launch_2.0.0,381,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if the server’s capabilities include `sso-openid-connect`[the] ..Metadata`issuer`[is] required ... [and SHALL contain the] String conveying this system’s OpenID Connect Issuer URL,SHALL,Server,,,,
443
+ hl7.fhir.uv.smart-app-launch_2.0.0,382,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if the server’s capabilities include `sso-openid-connect`[the] ...Metadata ...`jwks_uri`[is] required [and Shall contain the] string conveying this system’s JSON Web Key Set URL,SHALL,Server,,,,
444
+ hl7.fhir.uv.smart-app-launch_2.0.0,383,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`authorization_endpoint`[is] required … [and Shall contain the] URL to the OAuth2 authorization endpoint,SHALL,Server,,,,
445
+ hl7.fhir.uv.smart-app-launch_2.0.0,384,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`grant_types_supported`[is] required … [and Shall contain the] Array of grant types supported at the token endpoint. The options are “authorization_code” (when SMART App Launch is supported) and “client_credentials” (when SMART Backend Services is supported).,SHALL,Server,,,,
446
+ hl7.fhir.uv.smart-app-launch_2.0.0,385,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`token_endpoint`[is] required … [and Shall contain the] URL to the OAuth2 token endpoint.,SHALL,Server,,,,
447
+ hl7.fhir.uv.smart-app-launch_2.0.0,386,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`token_endpoint_auth_methods_supported`[is] OPTIONAL … [and Shall contain the] array of client authentication methods supported by the token endpoint. The options are “client_secret_post”, “client_secret_basic”, and “private_key_jwt”.",MAY,Server,,,,
448
+ hl7.fhir.uv.smart-app-launch_2.0.0,387,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`user_access_brand_bundle`[is] RECOMMENDED … [and Shall contain the] URL for a Brand Bundle. See User [Access Brands](https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html).,DEPRECATED,Server,,,,
449
+ hl7.fhir.uv.smart-app-launch_2.0.0,388,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`user_access_brand_identifier`[is] RECOMMENDED … [and Shall contain the] Identifier for the primary entry in a Brand Bundle. See User [Access Brands](https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html).,DEPRECATED,Server,,,,
450
+ hl7.fhir.uv.smart-app-launch_2.0.0,389,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`scopes_supported`[is] RECOMMENDED … [and Shall contain the] Array of scopes a client may request. See [scopes and launch context]. The server SHALL support all scopes listed here; additional scopes MAY be supported (so clients should not consider this an exhaustive list).,SHOULD,Server,,,,
451
+ hl7.fhir.uv.smart-app-launch_2.0.0,390,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`response_types_supported`[is] RECOMMENDED … [and Shall contain the] URL where an end-user can view which applications currently have access to data and can make adjustments to these access rights.,SHOULD,Server,,,,
452
+ hl7.fhir.uv.smart-app-launch_2.0.0,391,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`introspection_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to a server’s introspection endpoint that can be used to validate a token.,SHOULD,Server,,,,
453
+ hl7.fhir.uv.smart-app-launch_2.0.0,392,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`revocation_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to a server’s revoke endpoint that can be used to revoke a token.,SHOULD,Server,,,,
454
+ hl7.fhir.uv.smart-app-launch_2.0.0,393,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`capabilities`[is] REQUIRED … [and Shall contain the] Array of strings representing SMART capabilities (e.g., `sso-openid-connect` or `launch-standalone`) that the server supports.",SHALL,Server,,,,
455
+ hl7.fhir.uv.smart-app-launch_2.0.0,394,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`code_challenge_methods_supported`[is] REQUIRED … [and Shall contain the] Array of PKCE code challenge methods supported. The `S256` method SHALL be included in this list, and the `plain` method SHALL NOT be included in this list.",SHALL,Server,,,,
456
+ hl7.fhir.uv.smart-app-launch_2.0.0,395,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization ...that wishes to appear as a branded entity in user-facing apps ... [is] RECOMMENDED to define an Organization identifier where `system` is `urn:ietf:rfc:3986` and `value` is the HTTPS URL for the brand’s primary web presence, omitting any “www.” prefix from the domain and omitting any path component",DEPRECATED,Server,,,,
457
+ hl7.fhir.uv.smart-app-launch_2.0.0,396,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
458
+ SHALL publish at least a “primary brand” that references each FHIR endpoint in the Brand Bundle",DEPRECATED,Server,,,,
459
+ hl7.fhir.uv.smart-app-launch_2.0.0,397,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
460
+ SHOULD support the publication of a more detailed Brand hierarchy",DEPRECATED,Server,,,,
461
+ hl7.fhir.uv.smart-app-launch_2.0.0,398,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
462
+ SHALL populate `Bundle.timestamp` to advertise the timestamp of the last change to the contents",DEPRECATED,Server,,,,
463
+ hl7.fhir.uv.smart-app-launch_2.0.0,399,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
464
+ SHOULD populate `Bundle.entry.resource.meta.lastUpdated` with a more detailed timestamp if the system tracks updates per Resource.",DEPRECATED,Server,,,,
465
+ hl7.fhir.uv.smart-app-launch_2.0.0,400,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle…
466
+ SHALL support Cross-Origin Resource Sharing (CORS) for all GET requests to the artifacts described in this guide.",DEPRECATED,Server,,,,
467
+ hl7.fhir.uv.smart-app-launch_2.0.0,401,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
468
+ SHOULD include a weak `Etag` header in all Brand Bundle HTTP responses",DEPRECATED,Server,,,,
469
+ hl7.fhir.uv.smart-app-launch_2.0.0,402,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
470
+ SHALL allow Health Data Providers to manage all data elements marked “Must-Support” in the [“User Access Brand”](https://hl7.org/fhir/smart-app-launch/STU2.2/StructureDefinition-user-access-brand.html) and [“User Access Endpoint”](https://hl7.org/fhir/smart-app-launch/STU2.2/StructureDefinition-user-access-endpoint.html) profiles",DEPRECATED,Server,,,,
471
+ hl7.fhir.uv.smart-app-launch_2.0.0,403,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… SHALL support customer-supplied Organization identifiers (`system` and `value`),DEPRECATED,Server,,,,
472
+ hl7.fhir.uv.smart-app-launch_2.0.0,404,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… MAY provide a Data Absent Reason of `asked-declined` or `asked-unknown` in a Brand Bundle,DEPRECATED,Server,,,,
473
+ hl7.fhir.uv.smart-app-launch_2.0.0,405,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… SHALL NOT use Data Absent Reasons other than `asked-declined` or `asked-unknown` in a Brand Bundle,DEPRECATED,Server,,,,
474
+ hl7.fhir.uv.smart-app-launch_2.0.0,406,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle. SHOULD include `user_access_brand_bundle` and `user_access_brand_identifier` properties in the SMART configuration JSON respons,DEPRECATED,Server,,,,
475
+ hl7.fhir.uv.smart-app-launch_2.0.0,407,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any SMART on FHIR server that supports discovery of a User Access Brand Bundle... When populating `user_access_brand_bundle`
476
+ SHOULD link to a Bundle that includes only Brands and Endpoints affiliated with the Health Data Provider responsible for this SMART on FHIR server",DEPRECATED,Server,,,,
477
+ hl7.fhir.uv.smart-app-launch_2.0.0,408,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_bundle` MAY link to a Bundle with Brands or Endpoints for additional Health Data Providers,DEPRECATED,Server,,,,
478
+ hl7.fhir.uv.smart-app-launch_2.0.0,409,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle... When populating `user_access_brand_bundle` SHALL populate `user_access_brand_identifier` in SMART configuration JSON response if the `user_access_brand_bundle` refers to a Bundle with multiple Brands.,DEPRECATED,Server,,,,
479
+ hl7.fhir.uv.smart-app-launch_2.0.0,410,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any SMART on FHIR server that supports discovery of a User Access Brand Bundle...
480
+ When populating `user_access_brand_identifier`SHALL include a` value`",DEPRECATED,Server,,,,
481
+ hl7.fhir.uv.smart-app-launch_2.0.0,411,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_identifier`SHOULD include a system,DEPRECATED,Server,,,,
482
+ hl7.fhir.uv.smart-app-launch_2.0.0,412,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_identifier`SHALL ensure this identifier matches exactly one `Organization.identifier` in the referenced Brand Bundle,DEPRECATED,Server,,,,
483
+ hl7.fhir.uv.smart-app-launch_2.0.0,413,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHOULD provide an `If-None-Match` header in all Brand Bundle requests to avoid re-fetching data that have not changed,DEPRECATED,Client,,,,
484
+ hl7.fhir.uv.smart-app-launch_2.0.0,414,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHOULD cache Brand Bundle responses by Etag,DEPRECATED,Client,,,,
485
+ hl7.fhir.uv.smart-app-launch_2.0.0,415,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHALL select FHIR resources linked from the `.well-known/smart-configuration` if they differ from the resources in a vendor-consolidated Brand Bundle,DEPRECATED,Client,,,,
486
+ hl7.fhir.uv.smart-app-launch_2.0.0,416,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#fhir-profiles,"For fine-grained organizational management, apps SHALL select the FHIR resources linked from .well-known/smart-configuration if they differ from the resources in a vendor-consolidated Brand Bundle.",DEPRECATED,Client,,,,
487
+ hl7.fhir.uv.smart-app-launch_2.0.0,417,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Vendors SHALL publish at least a “primary brand” for each endpoint and SHOULD support the publication of a more detailed Brand hierarchy.,DEPRECATED,Server,,,,
488
+ hl7.fhir.uv.smart-app-launch_2.0.0,418,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Brand Bundles SHALL populate `Bundle.timestamp` to advertise the timestamp of the last change to the contents,DEPRECATED,Server,,,,
489
+ hl7.fhir.uv.smart-app-launch_2.0.0,419,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Brand Bundles SHOULD populate `Bundle.entry.resource.meta.lastUpdated` with a more detailed timestamp if the system tracks updates per Resource.,DEPRECATED,Server,,,,
490
+ hl7.fhir.uv.smart-app-launch_2.0.0,420,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,Apps can use a Brand’s Organization.identifier element to merge content published in multiple sources.,DEPRECATED,Client,,,,
491
+ hl7.fhir.uv.smart-app-launch_2.0.0,421,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,EHRs SHALL support customer-supplied identifiers (`system` and `value`).,DEPRECATED,Server,,,,
492
+ hl7.fhir.uv.smart-app-launch_2.0.0,422,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,"It is RECOMMENDED that each Brand include an identifier where `system` is `urn:ietf:rfc: 3986` (meaning the identifier is a URL) and `value` is the HTTPS URL for the Brand’s primary web presence, omitting any “www.” prefix from the domain and omitting any path component.",DEPRECATED,Server,,,,
493
+ hl7.fhir.uv.smart-app-launch_2.0.0,423,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#managing-cross-origin-resource-sharing-cors-for-fhir-resources,Publishers SHALL support [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) for all GET requests to the artifacts described in this guide.,DEPRECATED,Server,,,,
494
+ hl7.fhir.uv.smart-app-launch_2.0.0,424,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Publishers SHOULD include a weak `Etag` header in all HTTP responses.,DEPRECATED,Server,,,,
495
+ hl7.fhir.uv.smart-app-launch_2.0.0,425,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Clients SHOULD cache responses by Etag,DEPRECATED,Client,,,,
496
+ hl7.fhir.uv.smart-app-launch_2.0.0,426,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Clients SHOULD … provide an `If-None-Match` header in all requests to avoid re-fetching data that have not changed,DEPRECATED,Client,,,,
497
+ hl7.fhir.uv.smart-app-launch_2.0.0,427,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,FHIR servers supporting this [User-access Brands and Endpoints] IG SHOULD include the… `user_access_brand_bundle` property [containing the] URL of a Brand Bundle… in the SMART configuration JSON response,DEPRECATED,Server,,,,
498
+ hl7.fhir.uv.smart-app-launch_2.0.0,428,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,FHIR servers supporting this [User-access Brands and Endpoints] IG SHOULD include the… `user_access_brand_identifier` property [containing the] FHIR Identifier for this server’s primary Brand within the Bundle… in the SMART configuration JSON response,DEPRECATED,Server,,,,
499
+ hl7.fhir.uv.smart-app-launch_2.0.0,429,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,Publishers SHALL populate this [`user_access_brand_identifier`] property if the referenced Brand Bundle includes more than one Brand.,DEPRECATED,Server,,,,
500
+ hl7.fhir.uv.smart-app-launch_2.0.0,430,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"When present, this [`user_access_brand_identifier`] identifier SHALL consist of a value",DEPRECATED,Server,,,,
501
+ hl7.fhir.uv.smart-app-launch_2.0.0,431,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"When present, this [`user_access_brand_identifier`] identifier … SHOULD have a system.",DEPRECATED,Server,,,,
502
+ hl7.fhir.uv.smart-app-launch_2.0.0,432,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,The Brand Bundle SHALL include exactly one Brand with an Organization.identifier that matches the primary Brand identifier from SMART configuration JSON.,DEPRECATED,Server,,,,
503
+ hl7.fhir.uv.smart-app-launch_2.0.0,433,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,The Brand Bundle SHOULD include only the Brands and Endpoints associated with the SMART on FHIR server that links to the Bundle.,DEPRECATED,Server,,,,
504
+ hl7.fhir.uv.smart-app-launch_2.0.0,434,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"the Brand Bundle MAY have additional Brands or Endpoints (e.g., supporting a publication pattern where endpoints from a given vendor might point to a comprehensive, centralized vendor-managed list).",DEPRECATED,Server,,,,
505
+ hl7.fhir.uv.smart-app-launch_2.0.0,435,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,Note that the presence of an Endpoint in the Brand Bundle does not provide an implicit authorization to access the Endpoint. Clients that require access to the data provided by the FHIR Endpoints in the Brand Bundle can use SMART Configuration metadata to determine authorization requirements.,DEPRECATED,Client,,,,
506
+ hl7.fhir.uv.smart-app-launch_2.0.0,436,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#must-support-definition-ms-and-data-absent-reasons,User Access Brand profile elements labeled as “must support” mean publishers must provide a way for Brands to populate the value,DEPRECATED,Server,,,,
507
+ hl7.fhir.uv.smart-app-launch_2.0.0,437,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#must-support-definition-ms-and-data-absent-reasons,"If the EHR has asked, but a Brand administrator has not supplied a value, the EHR MAY provide a [Data Absent Reason](http://hl7.org/fhir/StructureDefinition/data-absent-reason) of `asked-declined` or `asked-unknown`. The EHR SHALL NOT use other Data Absent Reasons.",DEPRECATED,Server,,,,
508
+ hl7.fhir.uv.smart-app-launch_2.0.0,438,https://hl7.org/fhir/smart-app-launch/STU2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`registration_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to the OAuth2 dynamic registration endpoint for this FHIR server.,SHOULD,Server,,,,
509
+ hl7.fhir.uv.smart-app-launch_2.0.0,439,https://hl7.org/fhir/smart-app-launch/STU2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`associated_endpoints`[is] RECOMMENDED … [and Shall contain an a]rray of objects for endpoints that share the same authorization mechanism as this FHIR endpoint, each with a “url” and “capabilities” array.",SHOULD,Server,,,,
510
+ hl7.fhir.uv.smart-app-launch_2.2.0,1,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,"Apps SHALL ensure that when protocol steps include transmission of sensitive information (authentication secrets, authorization codes, tokens), transmission is ONLY to authenticated servers, over TLS-secured channels.",SHALL,Client,,,,
511
+ hl7.fhir.uv.smart-app-launch_2.2.0,2,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps SHALL generate an unpredictable `state` parameter for each user session,SHALL,Client,,,,
512
+ hl7.fhir.uv.smart-app-launch_2.2.0,3,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps SHALL... include `state` with all authorization requests,SHALL,Client,,,,
513
+ hl7.fhir.uv.smart-app-launch_2.2.0,4,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,App SHALL ... validate the `state` value for any request sent to its redirect URL.,SHALL,Client,,,,
514
+ hl7.fhir.uv.smart-app-launch_2.2.0,5,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,An app SHALL NOT execute untrusted user-supplied inputs as code.,SHALL NOT,Client,,,,
515
+ hl7.fhir.uv.smart-app-launch_2.2.0,6,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,An app SHALL NOT forward values passed back to its redirect URL to any other arbitrary or user-provided URL (a practice known as an “open redirector”).,SHALL NOT,Client,,,,
516
+ hl7.fhir.uv.smart-app-launch_2.2.0,7,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,An app SHALL NOT store bearer tokens in cookies that are transmitted as clear text.,SHALL NOT,Client,,,,
517
+ hl7.fhir.uv.smart-app-launch_2.2.0,8,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps SHOULD persist tokens and other sensitive data in app-specific storage locations only,SHOULD,Client,,,,
518
+ hl7.fhir.uv.smart-app-launch_2.2.0,9,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#app-protection,Apps... SHOULD NOT persist [tokens and other sensitive data] … in system-wide-discoverable locations.,SHOULD,Client,,,,
519
+ hl7.fhir.uv.smart-app-launch_2.2.0,10,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#support-for-public-and-confidential-apps,"any “secret” key, code, or string that is statically embedded in the app can potentially be extracted by an end-user or attacker. Hence security for these apps cannot depend on secrets embedded at install-time.",SHOULD NOT,Client,,,,
520
+ hl7.fhir.uv.smart-app-launch_2.2.0,11,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#determining-the-appropriate-app-type,"[U]se a `confidential app`[if your app is able to protect a secret]
521
+
522
+ Example: App runs on a trusted server with only server-side access to the secret
523
+ Example: App is a native app that uses additional technology (such as dynamic client registration and universal redirect_uris) to protect the secret",SHOULD,Client,,,,
524
+ hl7.fhir.uv.smart-app-launch_2.2.0,12,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#determining-the-appropriate-app-type,"[U]se a `public app`[if your app is not able to protect a secret]
525
+
526
+ Example: App is an HTML5 or JS in-browser app (including single-page applications) that would expose the secret in user space
527
+ Example: App is a native app that can only distribute a secret statically",SHOULD,Client,,,,
528
+ hl7.fhir.uv.smart-app-launch_2.2.0,13,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support,All SMART apps SHALL support Proof Key for Code Exchange [(PKCE)](https://tools.ietf.org/html/rfc7636),SHALL,Client,,,,
529
+ hl7.fhir.uv.smart-app-launch_2.2.0,14,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support,SMART servers [supporting the [PKCE](https://tools.ietf.org/html/rfc7636)] SHALL support the `S256` `code_challenge_method`,SHALL,Server,,,,
530
+ hl7.fhir.uv.smart-app-launch_2.2.0,15,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support,SMART servers [supporting the [PKCE](https://tools.ietf.org/html/rfc7636)] … SHALL NOT support the `plain` method.,SHALL NOT,Server,,,,
531
+ hl7.fhir.uv.smart-app-launch_2.2.0,16,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support,"Servers that support purely browser-based apps SHALL enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) as follows: ... For requests from any origin, CORS configuration permits access to the public discovery endpoints (`.well-known/smart-configuration` and `metadata`)",SHALL,Server,,,,
532
+ hl7.fhir.uv.smart-app-launch_2.2.0,17,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-cross-origin-resource-sharing-cors-support,"Servers that support purely browser-based apps SHALL enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) as follows: ... For requests from a client’s registered origin(s), CORS configuration permits access to the token endpoint and to FHIR REST API endpoints",SHALL,Server,,,,
533
+ hl7.fhir.uv.smart-app-launch_2.2.0,18,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#smart-authorization--fhir-access-overview,[In the SMART APP Launch process] the complete URLs of all apps approved for use by users of this EHR [SHALL] ... have been registered with the EHR authorization server.,SHALL,Server,,,,
534
+ hl7.fhir.uv.smart-app-launch_2.2.0,19,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#register-app-with-ehr,"SMART does not specify a standards-based registration process, but we encourage EHR implementers to consider the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591) for an out-of-the-box solution.",MAY,Server,,,,
535
+ hl7.fhir.uv.smart-app-launch_2.2.0,20,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"at registration time every SMART app SHALL:
536
+
537
+ Register zero or more fixed, fully-specified launch URL with the EHR’s authorization server",SHALL,Client,,,,
538
+ hl7.fhir.uv.smart-app-launch_2.2.0,21,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"at registration time every SMART app SHALL: ...
539
+ Register one or more fixed, fully-specified `redirect_uri` s with the EHR’s authorization server.",SHALL,Client,,,,
540
+ hl7.fhir.uv.smart-app-launch_2.2.0,22,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"For confidential clients, additional registration-time requirements are defined based on the client authentication method. ... For asymmetric client authentication: a [JSON Web Key Set or JWSK URL](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys) is established",SHALL,Client,,,,
541
+ hl7.fhir.uv.smart-app-launch_2.2.0,23,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request,"For confidential clients, additional registration-time requirements are defined based on the client authentication method. ...
542
+ For symmetric client authentication: a [client secret](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) is established",SHALL,Client,,,,
543
+ hl7.fhir.uv.smart-app-launch_2.2.0,24,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response,The EHR confirms the app’s registration parameters and communicates a `client_id` to the app.,SHALL,Server,,,,
544
+ hl7.fhir.uv.smart-app-launch_2.2.0,25,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#smart-authorization--fhir-access-overview,"In a standalone launch, when the app launches from outside an EHR session, the app can request context from the EHR authorization server.",DEPRECATED,Client,,,,
545
+ hl7.fhir.uv.smart-app-launch_2.2.0,26,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#smart-authorization--fhir-access-overview,"Once an app receives a launch request, [In a standalone launch] it requests authorization to access FHIR resources by instructing the browser to navigate to the EHR’s authorization endpoint.",DEPRECATED,Client,,,,
546
+ hl7.fhir.uv.smart-app-launch_2.2.0,27,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#smart-authorization--fhir-access-overview,"[When an app requests authorization to access FHIR resources in a standalone launch] Based on pre-defined rules and possibly end-user authorization, the EHR authorization server either grants the request by returning an authorization code to the app’s redirect URL or denies the request",DEPRECATED,Server,,,,
547
+ hl7.fhir.uv.smart-app-launch_2.2.0,28,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#smart-authorization--fhir-access-overview,"[When an app requests authorization to access FHIR resources in a standalone launch] The app then exchanges the authorization code for an access token. The app presents the access token to the EHR’s resource server to access requested FHIR resources. If a refresh token is returned along with the access token, the app may use it to request a new access token with the same scope, once the old access token expires",DEPRECATED,Client,,,,
548
+ hl7.fhir.uv.smart-app-launch_2.2.0,29,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#retrieve-well-knownsmart-configuration,"the app discovers the EHR FHIR server’s SMART configuration metadata, including OAuth `authorization_endpoint` and `token_endpoint` URLs.
549
+ The discovery URL is constructed by appending .well-known/smart-configuration to the FHIR Base URL. The app issues an HTTP GET to the discovery URL with an Accept header supporting application/json.",SHALL,Client,,,,
550
+ hl7.fhir.uv.smart-app-launch_2.2.0,30,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-3,The EHR responds with a SMART configuration JSON document as described in the [Conformance](https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html) section.,SHALL,Server,,,,
551
+ hl7.fhir.uv.smart-app-launch_2.2.0,31,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … the EHR SHALL ensure that the `code_verifier` is present and valid when the code is exchanged for an access token.,SHALL,Server,,,,
552
+ hl7.fhir.uv.smart-app-launch_2.2.0,32,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … [the] `response_type` [parameter is] required [and SHALL contain the] fixed value: `code`.,SHALL,Client,,,,
553
+ hl7.fhir.uv.smart-app-launch_2.2.0,33,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code … [the] `client_id` [parameter is] required [and SHALL contain the] client's identifier [provided during registration].,SHALL,Client,,,,
554
+ hl7.fhir.uv.smart-app-launch_2.2.0,34,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code... [the] `redirect_uri`[parameter is] required [and] Must match one of the client's pre-registered redirect URIs,SHALL,Client,,,,
555
+ hl7.fhir.uv.smart-app-launch_2.2.0,35,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code … [in the EHR Launch flow, the] `launch`[parameter is required, and] must match the launch value received from the EHR.",SHALL,Client,,,,
556
+ hl7.fhir.uv.smart-app-launch_2.2.0,36,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code … [in the `Standalone Launch` flow, the] `launch` [parameter is] omitted",SHALL,Client,,,,
557
+ hl7.fhir.uv.smart-app-launch_2.2.0,37,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `scope` [parameter is] `required` [and m]ust describe the access that the app needs.,SHALL,Client,,,,
558
+ hl7.fhir.uv.smart-app-launch_2.2.0,38,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `scope` [parameter is] `required` [and] Must ... [include] either: a `launch` value indicating that the app wants to receive already-established launch context details from the EHR [or] a set of launch context requirements in the form `launch/patient`, which asks the EHR to establish context on your behalf.",DEPRECATED,Client,,,,
559
+ hl7.fhir.uv.smart-app-launch_2.2.0,39,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `state` [parameter is] `required` [and] The parameter SHALL be used for preventing cross-site request forgery or session fixation attacks,SHALL,Client,,,,
560
+ hl7.fhir.uv.smart-app-launch_2.2.0,40,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `state` [parameter is] `required` [and] ... The app SHALL use an unpredictable value for the state parameter with at least 122 bits of entropy (e.g., a properly configured random uuid is suitable).",SHALL,Client,,,,
561
+ hl7.fhir.uv.smart-app-launch_2.2.0,41,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `aud` [parameter is] `required` ... [and SHALL contain the] URL of the EHR resource server from which the app wishes to retrieve FHIR data.
562
+ (Note that in the case of an EHR launch flow, this `aud` value is the same as the launch's `iss` value.)",SHALL,Client,,,,
563
+ hl7.fhir.uv.smart-app-launch_2.2.0,42,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … servers SHALL support the `aud` parameter,SHALL,Client,,,,
564
+ hl7.fhir.uv.smart-app-launch_2.2.0,43,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … servers MAY support a `resource` parameter as a synonym for `aud`.,MAY,Client,,,,
565
+ hl7.fhir.uv.smart-app-launch_2.2.0,44,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code [the] … `code_challenge` [parameter is] `required` ... [and] is generated by the app and used for the code challenge, as specified by [PKCE](https://tools.ietf.org/html/rfc7636).
566
+ See [considerations-for-pkce-support](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#considerations-for-pkce-support).",SHALL,Client,,,,
567
+ hl7.fhir.uv.smart-app-launch_2.2.0,45,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,[When] the app constructs a request for an authorization code [the] … `code_challenge_method` [parameter is] `required` ... [and Shall include the] Method used for the `code_challenge` parameter.,SHALL,Client,,,,
568
+ hl7.fhir.uv.smart-app-launch_2.2.0,46,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When] the app constructs a request for an authorization code ... The app SHOULD limit its requested scopes to the minimum necessary (i.e., minimizing the requested data categories and the requested duration of access).",SHOULD,Client,,,,
569
+ hl7.fhir.uv.smart-app-launch_2.2.0,47,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"[When an app requests an authorization code] If the app needs to authenticate the identity of or retrieve information about the end-user, it should include two OpenID Connect scopes: `openid` and `fhirUser`. When these scopes are requested and the request is granted, the app will receive an id_token along with the access token.",SHALL,Client,,,,
570
+ hl7.fhir.uv.smart-app-launch_2.2.0,48,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,Authorization Servers SHALL support the use of the HTTP GET ... at the Authorization Endpoint,SHALL,Server,,,,
571
+ hl7.fhir.uv.smart-app-launch_2.2.0,49,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,Authorization Servers SHALL support the use of the HTTP .. POST ... at the Authorization Endpoint,SHALL,Server,,,,
572
+ hl7.fhir.uv.smart-app-launch_2.2.0,50,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,Clients SHALL use either the HTTP GET or the HTTP POST method to send the Authorization Request to the Authorization Server.,SHALL,Client,,,,
573
+ hl7.fhir.uv.smart-app-launch_2.2.0,51,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"If [clients are] using the HTTP GET method [for Authorization Requests], the request parameters are serialized using URI Query String Serialization.",SHALL,Client,,,,
574
+ hl7.fhir.uv.smart-app-launch_2.2.0,52,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-4,"If [clients are] using the HTTP POST method [for Authorization Requests], the request parameters are serialized using Form Serialization and the application/x-www-form-urlencoded content type.",SHALL,Client,,,,
575
+ hl7.fhir.uv.smart-app-launch_2.2.0,53,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,The EHR decides whether to grant ... access [in response to an Authorization Request]. This decision is communicated to the app when the EHR authorization server returns an authorization code,SHALL,Server,,,,
576
+ hl7.fhir.uv.smart-app-launch_2.2.0,54,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,The EHR decides whether to ... deny access [in response to an Authorization Request]. This decision is communicated to the app when the EHR authorization server returns … an eror response,SHALL,Server,,,,
577
+ hl7.fhir.uv.smart-app-launch_2.2.0,55,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,"Authorization codes [returned in response to an Authorization Request] are short-lived, usually expiring within around one minute.",DEPRECATED,Server,,,,
578
+ hl7.fhir.uv.smart-app-launch_2.2.0,56,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When responding to an authorization request] the code is sent when the EHR authorization server causes the browser to navigate to the app’s redirect_uri,SHALL,Server,,,,
579
+ hl7.fhir.uv.smart-app-launch_2.2.0,57,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the] `code` [parameter is] required [and SHALL contain the] The authorization code generated by the authorization server.,SHALL,Server,,,,
580
+ hl7.fhir.uv.smart-app-launch_2.2.0,58,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the authorization code in the] `code` [parameter] ... needs to expire shortly after it is issued to mitigate the risk of leaks.,SHOULD,Server,,,,
581
+ hl7.fhir.uv.smart-app-launch_2.2.0,59,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When] the EHR authorization server causes the browser to navigate to the app’s redirect_uri … [the] `state` [parameter is] required [and SHALL contain t]he exact value received from the client [in parameter of the same name on the authorization request].,SHALL,Server,,,,
582
+ hl7.fhir.uv.smart-app-launch_2.2.0,60,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,[When an authorization repsonse is received t]he app SHALL validate the value of the state parameter [sent by the server] upon return to the redirect URL [matches the value the client sent in the authroization request].,SHALL,Client,,,,
583
+ hl7.fhir.uv.smart-app-launch_2.2.0,61,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-4,"The app… SHALL ensure that the state value [associated with the authorization request and response] is securely tied to the user’s current session (e.g., by relating the state value to a session identifier issued by the app).",SHALL,Client,,,,
584
+ hl7.fhir.uv.smart-app-launch_2.2.0,62,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,After obtaining an authorization code the app trades the code for an access token... [by issusing] an HTTP `POST` to the EHR authorization server’s token endpoint URL using content-type `application/x-www-form-urlencoded` as described in section 4.1.3 of [RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.3).,SHALL,Client,,,,
585
+ hl7.fhir.uv.smart-app-launch_2.2.0,63,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,"For `public apps`, authentication is not required [when making requests to the token endpoint] because a client with no secret cannot prove its identity when it issues a call. (The end-to-end system can still be secure because the client comes from a known, https-protected endpoint specified and enforced by the redirect uri.)",SHALL NOT,Client,,,,
586
+ hl7.fhir.uv.smart-app-launch_2.2.0,64,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,"For `confidential apps`, authentication is required [when making requests to the token endpoint].",SHALL,Client,,,,
587
+ hl7.fhir.uv.smart-app-launch_2.2.0,65,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,"Confidential clients SHOULD use [Asymmetric Authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html) [for authentication when making requests to the token endpoint] if available,",SHOULD,Client,,,,
588
+ hl7.fhir.uv.smart-app-launch_2.2.0,66,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,Confidential clients ... MAY use [Symmetric Authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html) [for authentication when making requests to the token endpoint].,MAY,Client,,,,
589
+ hl7.fhir.uv.smart-app-launch_2.2.0,67,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `grant_type`[parameter is] `required` [and SHALL contain the] fixed value: `authorization_code`,SHALL,Client,,,,
590
+ hl7.fhir.uv.smart-app-launch_2.2.0,68,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `code`[parameter is] `required` [and SHALL contain the authorizaion c]ode that the app received from the authorization server,SHALL,Client,,,,
591
+ hl7.fhir.uv.smart-app-launch_2.2.0,69,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `redirect_uri`[parameter is] `required`[and SHALL contain the] same redirect_uri used in the initial authorization request,SHALL,Client,,,,
592
+ hl7.fhir.uv.smart-app-launch_2.2.0,70,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `code_verifier`[parameter is] `required`[and SHALL be] ... used to verify against the `code_challenge` parameter previously provided in the authorize request.,SHALL,Client,,,,
593
+ hl7.fhir.uv.smart-app-launch_2.2.0,71,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[When an app requests an access token the] `client_id`[parameter is] required for `public apps`,SHALL,Client,,,,
594
+ hl7.fhir.uv.smart-app-launch_2.2.0,72,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-5,[when an app requests an access token the] `client_id`[parameter is] ...omit[ed] for `confidential apps`,SHALL NOT,Client,,,,
595
+ hl7.fhir.uv.smart-app-launch_2.2.0,73,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The EHR authorization server SHALL return a JSON object that includes an access token or a message indicating that the authorization request has been denied.,SHALL,Server,,,,
596
+ hl7.fhir.uv.smart-app-launch_2.2.0,74,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] 'access_token`[parameter is] `required` [and SHALL contain t]he access token issued by the authorization server,SHALL,Server,,,,
597
+ hl7.fhir.uv.smart-app-launch_2.2.0,75,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `token_type`[parameer is] `required` [and SHALL contain the f]ixed value: `Bearer`,SHALL,Server,,,,
598
+ hl7.fhir.uv.smart-app-launch_2.2.0,76,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `expires_in`[parameter is] `recommended`[and SHOULD contain the l]ifetime in seconds of the access token.,SHOULD,Server,,,,
599
+ hl7.fhir.uv.smart-app-launch_2.2.0,77,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization servers autorization token expires] the token SHALL NOT be accepted by the resource server,SHALL,Server,,,,
600
+ hl7.fhir.uv.smart-app-launch_2.2.0,78,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `scope`[parameter is] `required` [and SHALL contain the s]cope of access authorized. Note that this can be different from the scopes requested by the app.,SHALL,Server,,,,
601
+ hl7.fhir.uv.smart-app-launch_2.2.0,79,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,[When the EHR Authorization server responds to an autorization token request the] `scope`[parameter is] can be different from the scopes requested by the app.,MAY,Server,,,,
602
+ hl7.fhir.uv.smart-app-launch_2.2.0,80,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `id_token`[parameter is] `optional` [and MAY contain a]uthenticated user identity and user details, if requested.",MAY,Server,,,,
603
+ hl7.fhir.uv.smart-app-launch_2.2.0,81,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `refresh_token`[parameter is] `optional` [and MAY contain the t]oken that can be used to obtain a new access token, using the same or a subset of the original authorization grants",MAY,Server,,,,
604
+ hl7.fhir.uv.smart-app-launch_2.2.0,82,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request the] `authorization_details`[parameter is] `optional` [and MAY contain a]dditional details describing where this token can be used, and any per-location context",MAY,Server,,,,
605
+ hl7.fhir.uv.smart-app-launch_2.2.0,83,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request] if the app was launched from within a patient context, parameters to communicate the context values MAY BE included.",MAY,Server,,,,
606
+ hl7.fhir.uv.smart-app-launch_2.2.0,84,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"[When the EHR Authorization server responds to an autorization token request t]he parameters are included in the entity-body of the HTTP response, as described in section 5.1 of [RFC6749](https://tools.ietf.org/html/rfc6749).",SHALL,Server,,,,
607
+ hl7.fhir.uv.smart-app-launch_2.2.0,85,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The access token is a string of characters as defined in [RFC6749](https://tools.ietf.org/html/rfc6749) and [RFC6750](http://tools.ietf.org/html/rfc6750).,SHALL,Server,,,,
608
+ hl7.fhir.uv.smart-app-launch_2.2.0,86,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The authorization server’s response SHALL include the HTTP “Cache-Control” response header field with a value of “no-store”,SHALL,Server,,,,
609
+ hl7.fhir.uv.smart-app-launch_2.2.0,87,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,The authorization server’s response SHALL include the HTTP ... “Pragma” response header field with a value of “no-cache”,SHALL,Server,,,,
610
+ hl7.fhir.uv.smart-app-launch_2.2.0,88,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"The EHR authorization server decides what `expires_in` value to assign to an access token ... as defined in section 1.5 of [RFC6749](https://tools.ietf.org/html/rfc6749#page-10), along with the access token.",SHALL,Server,,,,
611
+ hl7.fhir.uv.smart-app-launch_2.2.0,89,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"The EHR authorization server decides ... whether to issue a refresh token, as defined in section 1.5 of [RFC6749](https://tools.ietf.org/html/rfc6749#page-10), along with the access token.",SHALL,Server,,,,
612
+ hl7.fhir.uv.smart-app-launch_2.2.0,90,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,"Apps SHOULD store tokens in app-specific storage locations only, and not in system-wide-discoverable locations.",SHOULD,Client,,,,
613
+ hl7.fhir.uv.smart-app-launch_2.2.0,91,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,Access tokens SHOULD have a valid lifetime no greater than one hour.,SHOULD,Server,,,,
614
+ hl7.fhir.uv.smart-app-launch_2.2.0,92,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-5,Confidential clients may be issued longer-lived tokens than public clients.,MAY,Server,,,,
615
+ hl7.fhir.uv.smart-app-launch_2.2.0,93,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-6,[When] fetch[ing] FHIR Resources… The [Client] app [SHALL} issue a request that includes an `Authorization` header that presents the `access_token` as a “Bearer” token,SHALL,Client,,,,
616
+ hl7.fhir.uv.smart-app-launch_2.2.0,94,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,The resource server SHALL validate the access token and ensure that it has not expired,SHALL,Server,,,,
617
+ hl7.fhir.uv.smart-app-launch_2.2.0,95,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,The resource server SHALL validate the access token and ensure that … its scope covers the requested resource.,SHALL,Server,,,,
618
+ hl7.fhir.uv.smart-app-launch_2.2.0,96,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,The resource server also validates that the `aud` parameter associated with the authorization [request] ... matches the resource server’s own FHIR endpoint.,SHALL,Server,,,,
619
+ hl7.fhir.uv.smart-app-launch_2.2.0,97,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,"[When an app may receives] a FHIR resource that contains a “reference” to a resource hosted on a different resource server … [it] SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft.",SHOULD NOT,Client,,,,
620
+ hl7.fhir.uv.smart-app-launch_2.2.0,98,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-6,"[When an app may receives] a FHIR resource that contains a “reference” to a resource hosted on a different resource serve … [it] SHOULD either ignore the reference, or initiate a new request for access to that resource.",SHOULD,Client,,,,
621
+ hl7.fhir.uv.smart-app-launch_2.2.0,99,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,EHR implementers are also encouraged to consider using the [OAuth 2.0 Token Introspection Protocol](https://tools.ietf.org/html/rfc7662) to provide an introspection endpoint that clients can use to examine the validity and meaning of tokens.,SHOULD,Server,,,,
622
+ hl7.fhir.uv.smart-app-launch_2.2.0,100,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,[The Auth Server SHALL provide a]n app with “online access”... new access tokens as long as the end-user remains online.,SHALL,Server,,,,
623
+ hl7.fhir.uv.smart-app-launch_2.2.0,101,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,[The Auth Server SHALL provide a]pps with “offline access”... new access tokens without the user being interactively engaged.,SHALL,Server,,,,
624
+ hl7.fhir.uv.smart-app-launch_2.2.0,102,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,A server can decide which client types (public or confidential) are eligible for offline access and able to receive a refresh token.,MAY,Server,,,,
625
+ hl7.fhir.uv.smart-app-launch_2.2.0,103,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,A refresh token SHALL be bound to the same `client_id` and SHALL contain the same or a subset of the claims authorized for the access token with which it is associated.,SHALL,Server,,,,
626
+ hl7.fhir.uv.smart-app-launch_2.2.0,104,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#refresh-access-token,A refresh token ... SHALL contain the same or a subset of the claims authorized for the access token with which it is associated.,SHALL,Server,,,,
627
+ hl7.fhir.uv.smart-app-launch_2.2.0,105,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `grant_type` [parameter is] `required`[and SHALL contain the] Fixed value: `refresh_token`,SHALL,Client,,,,
628
+ hl7.fhir.uv.smart-app-launch_2.2.0,106,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `refresh_token` [parameter is] `required`[and SHALL contain the] The refresh token from a prior authorization response,SHALL,Client,,,,
629
+ hl7.fhir.uv.smart-app-launch_2.2.0,107,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] `scope` [parameter is] `optional`[and MAY contain the] scopes of access requested.,MAY,Client,,,,
630
+ hl7.fhir.uv.smart-app-launch_2.2.0,108,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,"[When requesting a new access token using a refresh token the] `scope` [parameter is] present, it must be a strict sub-set of the scopes granted in the original launch (no new permissions can be obtained at refresh time).",SHALL,Client,,,,
631
+ hl7.fhir.uv.smart-app-launch_2.2.0,109,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#request-7,[When requesting a new access token using a refresh token the] a missing [`scope` parameter] value indicates a request for the same scopes granted in the original launch.,SHALL,Server,,,,
632
+ hl7.fhir.uv.smart-app-launch_2.2.0,110,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `access_token` [parameter is] `required`[and SHALL contain the n]ew access token issued by the authorization server,SHALL,Server,,,,
633
+ hl7.fhir.uv.smart-app-launch_2.2.0,111,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the]`token_type` [parameter is] `required`[and SHALL contain the] Fixed value: bearer,SHALL,Server,,,,
634
+ hl7.fhir.uv.smart-app-launch_2.2.0,112,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `expires_in`[parameter is] `required`[and SHALL contain the] The lifetime in seconds of the access token.,SHALL,Server,,,,
635
+ hl7.fhir.uv.smart-app-launch_2.2.0,113,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter is] `required` [and SHALL contain the] Scope of access authorized,SHALL,Server,,,,
636
+ hl7.fhir.uv.smart-app-launch_2.2.0,114,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter value] will be the same as the scope of the original access token,SHALL,Server,,,,
637
+ hl7.fhir.uv.smart-app-launch_2.2.0,115,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `scope`[parameter value] can be different from the scopes requested by the app.,SHALL,Server,,,,
638
+ hl7.fhir.uv.smart-app-launch_2.2.0,116,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,[When responding to a request for a new access token using a refresh token the] `refresh_token` [parameter is] `optional` [and MAY contain the] refresh token issued by the authorization server.,MAY,Server,,,,
639
+ hl7.fhir.uv.smart-app-launch_2.2.0,117,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,"[When receiving a response to a request for a new access token using a refresh token if the] `refresh_token` [parameter is] present, the app should discard any previous refresh_token associated with this launch and replace it with this new value",SHOULD,Client,,,,
640
+ hl7.fhir.uv.smart-app-launch_2.2.0,118,https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html#response-7,"[When responding to a request for a new access token using a refresh token the] if the app was launched from within a patient context, parameters to communicate the context values MAY BE included.",MAY,Server,,,,
641
+ hl7.fhir.uv.smart-app-launch_2.2.0,119,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#smarts-scopes-are-used-to-delegate-access,[When responding to] a client request… of a specific set of access rights; [servers SHALL respect] … underlyinmg system policies and permissions [even if they conflict with granted scopes],SHALL,Server,,,,
642
+ hl7.fhir.uv.smart-app-launch_2.2.0,120,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `c` for `create`[to request the ability to perform] Type level [create](http://hl7.org/fhir/http.html#create)",SHALL,Client,,,,
643
+ hl7.fhir.uv.smart-app-launch_2.2.0,121,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `r` for `read` [to request the ability to perform] Instance level [read](http://hl7.org/fhir/http.html#read), Instance level [vread](http://hl7.org/fhir/http.html#vread), and Instance level [history](http://hl7.org/fhir/http.html#history)",SHALL,Client,,,,
644
+ hl7.fhir.uv.smart-app-launch_2.2.0,122,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `u` for `update`[to request the ability to perform] Instance level [update](http://hl7.org/fhir/http.html#update)] ..., and Instance level [patch](http://hl7.org/fhir/http.html#patch)",SHALL,Client,,,,
645
+ hl7.fhir.uv.smart-app-launch_2.2.0,123,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"Note that some servers allow for an [update operation to create a new instance](http://hl7.org/fhir/http.html#upsert), and this is allowed by the update scope",SHALL,Server,,,,
646
+ hl7.fhir.uv.smart-app-launch_2.2.0,124,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `d` for `delete` [to request the ability to perform] Type level [delete](http://hl7.org/fhir/http.html#delete)]",SHALL,Client,,,,
647
+ hl7.fhir.uv.smart-app-launch_2.2.0,125,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"[Client, SHALL include scope] `s` for `search`[to request the ability to perform] Type level [search](http://hl7.org/fhir/http.html#search), Type level [history](http://hl7.org/fhir/http.html#history), System level [search](http://hl7.org/fhir/http.html#search), and System level [history](http://hl7.org/fhir/http.html#history)",SHALL,Client,,,,
648
+ hl7.fhir.uv.smart-app-launch_2.2.0,126,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD advertise the `permission-v1` capability in their `.well-known/smart-configuration` discovery document",SHOULD,Server,,,,
649
+ hl7.fhir.uv.smart-app-launch_2.2.0,127,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD … return v1 scopes when v1 scopes are requested and granted",SHOULD,Server,,,,
650
+ hl7.fhir.uv.smart-app-launch_2.2.0,128,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"For backwards compatibility with scopes defined in the SMART App Launch 1.0 specification, servers SHOULD … process v1 scopes with the following semantics in v2:
651
+ v1 `.read` ⇒ v2 `.rs`
652
+ v1 `.write` ⇒ v2 `.cud`
653
+ v1 `.*` ⇒ v2 `.cruds`",SHOULD,Server,,,,
654
+ hl7.fhir.uv.smart-app-launch_2.2.0,129,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-fhir-resources,"Scope requests with undefined or out of order interactions MAY be ignored, replaced with server default scopes, or rejected",MAY,Server,,,,
655
+ hl7.fhir.uv.smart-app-launch_2.2.0,130,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#batches-and-transactions,[B]atch and transaction requests should [SHALL] be validated based on the actual requests within them.,SHALL,Server,,,,
656
+ hl7.fhir.uv.smart-app-launch_2.2.0,131,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scope-equivalence,"Scopes can be combined to represent a union of access… In order to reduce token size, it is recommended that scopes be factored to their shortest form.",SHOULD,Client,,,,
657
+ hl7.fhir.uv.smart-app-launch_2.2.0,132,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#finer-grained-resource-constraints-using-search-parameters,"[To request a scope that applies to a subset of instances of a resource type, clients SHALL] add a query string suffix to existing scopes, starting with `?` and followed by a series of `param=value` items separated by `&`",SHALL,Client,,true,,
658
+ hl7.fhir.uv.smart-app-launch_2.2.0,133,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scope-size-over-the-wire,"When initiating an authorization request, app developers should prefer POST-based authorization requests to GET-based requests, since this avoids URL length limits that might apply to GET-based authorization requests.",SHOULD,Client,,,,
659
+ hl7.fhir.uv.smart-app-launch_2.2.0,134,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scope-size-over-the-wire,"[S]ince access tokens are included in HTTP headers, servers should take care to ensure they do not get too large.",SHOULD,Server,,,,
660
+ hl7.fhir.uv.smart-app-launch_2.2.0,135,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhir-resource-scope-syntax,"[T]he scope language is [the following sequence of characters:
661
+ - one of ""patient"", ""user"", or ""system""
662
+ - ""/""
663
+ - either a FHIR resource type or ""*""
664
+ - "".""
665
+ - optional ""c""
666
+ - optional ""r""
667
+ - optional ""u""
668
+ - optional ""d""
669
+ - optional ""s""
670
+ - optional ""?"" followed by at least 1 ""<param>=<value>"" pairs, where <param> is a valid search parameter and <value> is a valid corresponding value, with each pair each separated by ""&"" if there are multiple]",SHALL,Client,,,,
671
+ hl7.fhir.uv.smart-app-launch_2.2.0,136,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,[When granting p]atient-specific scopes [servers promise to] allow [the client to] access to specific data about a single patient. Which patient is not specified here: FHIR Resource scopes are all about *what* and not *who*,SHALL,Server,,,,
672
+ hl7.fhir.uv.smart-app-launch_2.2.0,137,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,[To request p]atient-specific scopes start [the scope string] with `patient/`,SHALL,Client,,,,
673
+ hl7.fhir.uv.smart-app-launch_2.2.0,138,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,"Note that some EHRs may not enable access to all related resources [when responding to data requests with a patient-specific scope] (for example, Practitioners linked to/from Patient-specific resources).",MAY,Server,,,,
674
+ hl7.fhir.uv.smart-app-launch_2.2.0,139,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#patient-specific-scopes,"if a FHIR server supports linking one Patient record with another via `Patient.link`, the server documentation SHALL describe its authorization behavior.",SHALL,Server,,,,
675
+ hl7.fhir.uv.smart-app-launch_2.2.0,140,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#user-level-scopes,[When granting u]ser-level scopes [servers promise to] allow [the client] access to specific data that a user can access. Note that this isn’t just data about the user; it’s data available to that user.,SHALL,Server,,,,
676
+ hl7.fhir.uv.smart-app-launch_2.2.0,141,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#user-level-scopes,[To request u]ser-level scopes start [the scope string] with `user/`.,SHALL,Client,,,,
677
+ hl7.fhir.uv.smart-app-launch_2.2.0,142,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#system-level-scopes,"[When granting s]ystem-level scopes [servers promise to allow access to] data that a client system is directly authorized to access; these scopes are useful in cases where there is no user in the loop, such as a data monitoring or reporting service.",SHALL,Server,,,,
678
+ hl7.fhir.uv.smart-app-launch_2.2.0,143,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#system-level-scopes,[To request s]ystem-level scopes start [the scope string] with `system/`.,SHALL,Client,,,,
679
+ hl7.fhir.uv.smart-app-launch_2.2.0,144,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,"[When granting w]ildcard scopes…[servers promise to allow access to] all data for all available FHIR resources, both now and in the future.",SHALL,Server,,,,
680
+ hl7.fhir.uv.smart-app-launch_2.2.0,145,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,[T]he scopes ultimately granted by the authorization server may differ from the scopes requested by the client!,MAY,Server,,,,
681
+ hl7.fhir.uv.smart-app-launch_2.2.0,146,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,"[To request] Wildcard scopes [the scope string SHALL] contain a wildcard (`*`) for the FHIR resource [e.g., `patient/*.cruds`]",SHALL,Client,,,,
682
+ hl7.fhir.uv.smart-app-launch_2.2.0,147,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,clients should examine the granted scopes by the authorization server and respond accordingly. Failure to do so may lead to situations where the client receives an authorization failure by the FHIR server because it attempted to access FHIR resources beyond the granted scopes.,SHOULD,Client,,,,
683
+ hl7.fhir.uv.smart-app-launch_2.2.0,148,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#wildcard-scopes,clients are encouraged to request only the scopes and permissions they need to function and avoid the use of wildcard scopes purely for the sake of convenience,SHOULD,Client,,,,
684
+ hl7.fhir.uv.smart-app-launch_2.2.0,149,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[Context data scopes tell ther server] what context parameters will [SHALL] be provided in the access token response,SHALL,Server,,,,
685
+ hl7.fhir.uv.smart-app-launch_2.2.0,150,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,To request access to …[context data] an app [SHALL] ask for “launch context” scopes in addition to whatever FHIR Resource access scopes it needs.,SHALL,Client,,,,
686
+ hl7.fhir.uv.smart-app-launch_2.2.0,151,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"To request access to …[context data, the scope string SHALL] begin with `launch`.",SHALL,Client,,,,
687
+ hl7.fhir.uv.smart-app-launch_2.2.0,152,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[When clients n]eed patient context at launch time (FHIR Patient resource)[ they SHALL request the `launch/patient` scope].,SHALL,Client,,,,
688
+ hl7.fhir.uv.smart-app-launch_2.2.0,153,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,[When clients n]eed encounter context at launch time (FHIR Encounter resource)[ they SHALL request the `launch/encounter` scope].,SHALL,Client,,,,
689
+ hl7.fhir.uv.smart-app-launch_2.2.0,154,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,Any SMART EHR MAY extend this list [of context scopes] to support additional context [beyond patient and encounter[..,MAY,Server,,,,
690
+ hl7.fhir.uv.smart-app-launch_2.2.0,155,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When specifying resource types [for additional launch contexts], convert the type names to all lowercase (e.g., launch/diagnosticreport)",SHALL,Client,,,,
691
+ hl7.fhir.uv.smart-app-launch_2.2.0,156,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"In situations where the same resource type might be used for more than one purpose (e.g., in a medication reconciliation app, one List of at-home medications and another List of in-hospital medications), the app can [(and SHALL if needed)] solicit [launch] context with a specific role by appending `?role={role}` [to the end of the launch context scope].",SHALL,Client,,,,
692
+ hl7.fhir.uv.smart-app-launch_2.2.0,157,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,When using `?role=` in launch context requests: Each requested scope can include at most one role.,SHOULD,Client,,,,
693
+ hl7.fhir.uv.smart-app-launch_2.2.0,158,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: ... If an app requires multiple roles, it MAY request multiple scopes",MAY,Client,,,,
694
+ hl7.fhir.uv.smart-app-launch_2.2.0,159,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: … If an EHR receives a request for an unsupported role, it SHOULD return any launch context supported for the supplied resource type.",SHOULD,Server,,,,
695
+ hl7.fhir.uv.smart-app-launch_2.2.0,160,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-context-data,"When using `?role=` in launch context requests: … If an EHR receives a request for an unsupported role, … It MAY return alternative roles.",SHOULD,Server,,,,
696
+ hl7.fhir.uv.smart-app-launch_2.2.0,161,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"Apps that launch from the EHR will be passed an explicit URL parameter called `launch`, whose value must associate the app’s authorization request with the current EHR session.",SHALL,Client,,,,
697
+ hl7.fhir.uv.smart-app-launch_2.2.0,162,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The application [that launches from an EHR] could choose to also provide `launch/patient`, `launch/encounter`, or other `launch/` scopes as “hints” regarding which contexts the app would like the EHR to gather.",MAY,Client,,,,
698
+ hl7.fhir.uv.smart-app-launch_2.2.0,163,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The EHR MAY ignore these hints [regarding which contexts the app would like the EHR to gather] (for example, if the user is in a workflow where these contexts do not exist).",MAY,Server,,,,
699
+ hl7.fhir.uv.smart-app-launch_2.2.0,164,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"If an application requests a FHIR Resource scope which is restricted to a single patient (e.g., patient/*.rs), and the authorization results in the EHR granting that scope, the EHR SHALL establish a patient in context.",SHALL,Server,,,,
700
+ hl7.fhir.uv.smart-app-launch_2.2.0,165,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#apps-that-launch-from-the-ehr,"The EHR MAY refuse authorization requests including `patient/` that do not also include a valid `launch`, or it MAY infer the `launch/patient` scope.",MAY,Server,,,,
701
+ hl7.fhir.uv.smart-app-launch_2.2.0,166,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#standalone-apps,Standalone apps that launch outside the EHR do not have any EHR context at the outset. These apps must explicitly request EHR context.,SHALL,Client,,,,
702
+ hl7.fhir.uv.smart-app-launch_2.2.0,167,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#standalone-apps,"[when a standalone app requests EHR context] The EHR SHOULD provide the requested context if requested by the following scopes, unless otherwise noted.",SHOULD,Server,,,,
703
+ hl7.fhir.uv.smart-app-launch_2.2.0,168,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"Once an app is authorized, the token response will include any context data the app requested and any (potentially) unsolicited context data the EHR may decide to communicate",SHALL,Server,,,,
704
+ hl7.fhir.uv.smart-app-launch_2.2.0,169,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"Once an app is authorized, the token response will include any … [l]aunch context parameters [and] come alongside the access token… [which SHALL] appear as JSON parameters.",SHALL,Server,,,,
705
+ hl7.fhir.uv.smart-app-launch_2.2.0,170,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"[The] launch context parameter... `patient`... [SHALL contain a s]tring value with a patient id, indicating that the app was launched in the context of FHIR Patient... If the app has any patient-level scopes, they will be scoped to Patient [provided in this parameter].",SHALL,Server,,,,
706
+ hl7.fhir.uv.smart-app-launch_2.2.0,171,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,"[The] launch context parameter... `encounter`... [SHALL contain a s]tring value with an encounter id, indicating that the app was launched in the context of FHIR Encounter",SHALL,Server,,,,
707
+ hl7.fhir.uv.smart-app-launch_2.2.0,172,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `fhirContext`... [SHALL contain an a]rray of objects referring to any resource type other than “Patient” or “Encounter”.,SHALL,Server,,,,
708
+ hl7.fhir.uv.smart-app-launch_2.2.0,173,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `need_patient_banner`... [SHALL contain a] boolean value indicating whether the app was launched in a UX context where a patient banner is required (when true) or may not be required (when false). An app receiving a value of false might not need to take up screen real estate displaying a patient banner.,SHALL,Server,,,,
709
+ hl7.fhir.uv.smart-app-launch_2.2.0,174,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `intent`... [SHALL contain a s]tring value describing the intent of the application launch,SHALL,Server,,,,
710
+ hl7.fhir.uv.smart-app-launch_2.2.0,175,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `smart_style_url`... [SHALL contain a s]tring URL where the EHR’s style parameters can be retrieved (for apps that support [styling](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#styling)),SHALL,Server,,,,
711
+ hl7.fhir.uv.smart-app-launch_2.2.0,176,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-context-arrives-with-your-access_token,[The] launch context parameter... `tenant`... [SHALL contain a s]tring conveying an opaque identifier for the healthcare organization that is launching the app. This parameter is intended primarily to support EHR Launch scenarios.,SHALL,Server,,,,
712
+ hl7.fhir.uv.smart-app-launch_2.2.0,177,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"{A]ny contextual resource types that were requested by a launch scope will appear in the `fhirContext` array... except ... Patient and Encounter resource types, which will not be deprecated from top-level parameters, and they will not be permitted within the `fhirContex`t array unless they include a `role` other than ""launch"".",SHALL,Server,,,,
713
+ hl7.fhir.uv.smart-app-launch_2.2.0,178,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array SHALL include at least one of `""reference""`, `""canonical""`, or `""identifier""`",SHALL,Server,,,,
714
+ hl7.fhir.uv.smart-app-launch_2.2.0,179,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""reference""` (string) … [which is the] relative reference to a FHIR resource. Note that there MAY be more than one fhirContext item referencing the same type of resource.",MAY,Server,,,,
715
+ hl7.fhir.uv.smart-app-launch_2.2.0,180,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,Note that there MAY be more than one fhirContext item referencing the same type of resource [using the property `reference`].,MAY,Server,,,,
716
+ hl7.fhir.uv.smart-app-launch_2.2.0,181,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""canonical""` (string) … [which is the] canonical URL for the `fhirContext` item (MAY include a version suffix)",MAY,Server,,,,
717
+ hl7.fhir.uv.smart-app-launch_2.2.0,182,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[The `canonical` property in a `fhirContext` array object] MAY include a version suffix),MAY,Server,,,,
718
+ hl7.fhir.uv.smart-app-launch_2.2.0,183,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""identifier""` (object) … [which is the] FHIR Identifier for the `fhirContext` item",MAY,Server,,,,
719
+ hl7.fhir.uv.smart-app-launch_2.2.0,184,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""type""` (string) … [which is the] FHIR resource type of the `fhirContext` item (RECOMMENDED when `""identifier""` or `""canonical""` is present)",MAY,Server,,,,
720
+ hl7.fhir.uv.smart-app-launch_2.2.0,185,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"[The `type` property in a `fhirContext` array object is] RECOMMENDED when `""identifier""` or `""canonical""` is present)",SHOULD,Server,,,,
721
+ hl7.fhir.uv.smart-app-launch_2.2.0,186,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"Each object in the `fhirContext` array… MAY contain [the property] `""role""` (string) … [which is the] URI identifying the role of this `fhirContext` item.",MAY,Server,,,,
722
+ hl7.fhir.uv.smart-app-launch_2.2.0,187,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[The `role` property in a `fhirContext` array object may contain r]elative role URIs ... if [they are] defined in this specification; other roles require the use of absolute URIs,MAY,Server,,,,
723
+ hl7.fhir.uv.smart-app-launch_2.2.0,188,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,[O]ther roles [defined outside of this specification] require the use of absolute URIs [when used in the `role` property in a `fhirContext` array object],SHALL,Server,,,,
724
+ hl7.fhir.uv.smart-app-launch_2.2.0,189,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,This [`role`] property MAY be omitted,MAY,Server,,,,
725
+ hl7.fhir.uv.smart-app-launch_2.2.0,190,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,This [`role`] property... SHALL NOT be the empty string.,SHOULD NOT,Server,,,,
726
+ hl7.fhir.uv.smart-app-launch_2.2.0,191,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,"The absence of a role property [in a `fhirContext` array object] is semantically equivalent to a role of `""launch""`, indicating to a client [which SHALL interpret it to mean] that the app launch was performed in the context of the referenced resource.",SHALL,Client,,,,
727
+ hl7.fhir.uv.smart-app-launch_2.2.0,192,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#fhircontext-exp,Multiple `fhirContext` items MAY have the same role.,MAY,Server,,,,
728
+ hl7.fhir.uv.smart-app-launch_2.2.0,193,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-intent,"If a SMART EHR provides a value that the client does not recognize, or does not provide a value, the client app SHOULD display a default application UI context.",SHOULD,Client,,,,
729
+ hl7.fhir.uv.smart-app-launch_2.2.0,194,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#launch-intent,The meaning of intent values must be negotiated between the app and the EHR.,SHALL,Server,,,,
730
+ hl7.fhir.uv.smart-app-launch_2.2.0,195,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,Some apps need to authenticate the end-user. This can be accomplished by requesting the scope `openid`.,MAY,Client,,,,
731
+ hl7.fhir.uv.smart-app-launch_2.2.0,196,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"When the `openid` scope is requested, apps can [(if a FHIR representation of the user is needed, SHALL,)] also request the `fhirUser` scope to obtain a FHIR resource representation of the current user",SHALL,Client,,true,,
732
+ hl7.fhir.uv.smart-app-launch_2.2.0,197,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"If the EHR cannot represent the user with a FHIR resource, it cannot support the `fhirUser` scope.",SHALL,Server,,,,
733
+ hl7.fhir.uv.smart-app-launch_2.2.0,198,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [instance returned from the `fhirUser` URL] will be a resource of type Patient, Practitioner, PractitionerRole, RelatedPerson, or Person",SHALL,Server,,,,
734
+ hl7.fhir.uv.smart-app-launch_2.2.0,199,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Note that [the] `Person` [resource type] is only used if the other resource types do not apply to the current user, for example, the “authorized representative” for >1 patients [would be a Person since RelatedPerson can be associated only with a single Patient].",SHOULD,Server,,,,
735
+ hl7.fhir.uv.smart-app-launch_2.2.0,200,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"When these [identity data] scopes are requested (and the request is granted), the [server SHALL send and the] app will receive an [`id_token`](http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken) that comes alongside the access token.",SHALL,Server,,,,
736
+ hl7.fhir.uv.smart-app-launch_2.2.0,201,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,This token must be [validated according to the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) [by the client app].,SHALL,Client,,,,
737
+ hl7.fhir.uv.smart-app-launch_2.2.0,202,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To learn more about the user, the app should treat the `fhirUser` claim as the URL of a FHIR resource representing the current user [and SHALL perform a FHIR read interaction to get it].",SHALL,Client,,,,
738
+ hl7.fhir.uv.smart-app-launch_2.2.0,203,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [`fhirUser`] URL MAY be absolute (e.g., https://ehr.example.org/Practitioner/123)",MAY,Server,,,,
739
+ hl7.fhir.uv.smart-app-launch_2.2.0,204,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"This [`fhirUser`] URL ... MAY be relative to the FHIR server base URL associated with the current authorization request (e.g., Practitioner/123)…. Note that the FHIR server base URL is the same as the URL represented in the aud parameter passed in to the authorization request.",MAY,Server,,,,
740
+ hl7.fhir.uv.smart-app-launch_2.2.0,205,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support the Authorization Code Flow, with the request parameters as defined in [SMART App Launch](https://hl7.org/fhir/smart-app-launch/STU2.2/app-launch.html).",SHALL,Server,,,,
741
+ hl7.fhir.uv.smart-app-launch_2.2.0,206,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … Support is not required for [Authorization Code Flow] parameters that OIDC lists as optional (e.g., `id_token_hint`, `acr_value`), but EHRs are encouraged to review these optional parameters.",MAY,Server,,,,
742
+ hl7.fhir.uv.smart-app-launch_2.2.0,207,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, …The EHR SHALL publish public keys as bare JWK keys",SHALL,Server,,,,
743
+ hl7.fhir.uv.smart-app-launch_2.2.0,208,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,[If the EHR publishes public keys as bare JWK keys they] MAY also be accompanied by X.509 representations of those keys,MAY,Server,,,,
744
+ hl7.fhir.uv.smart-app-launch_2.2.0,209,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support the inclusion of SMART’s `fhirUser` claim within the `id_token` issued for any requests that grant the `openid` and `fhirUser` scopes.",SHALL,Server,,,,
745
+ hl7.fhir.uv.smart-app-launch_2.2.0,210,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … The EHR SHALL support Signing ID Tokens with RSA SHA-256",SHALL,Server,,,,
746
+ hl7.fhir.uv.smart-app-launch_2.2.0,211,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"To be considered compatible with the SMART’s sso-openid-connect capability, … A SMART app SHALL NOT pass the `auth_time` claim or `max_age` parameter to a server that does not support receiving them.",SHALL NOT,Client,,,,
747
+ hl7.fhir.uv.smart-app-launch_2.2.0,212,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including … `claims` parameters on the authorization request",MAY,Server,,,,
748
+ hl7.fhir.uv.smart-app-launch_2.2.0,213,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including] … Request Objects on the authorization request",MAY,Server,,,,
749
+ hl7.fhir.uv.smart-app-launch_2.2.0,214,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-identity-data,"Servers MAY include support for [OpenID Connect features, including] … UserInfo endpoint with claims exposed to clients",MAY,Server,,,,
750
+ hl7.fhir.uv.smart-app-launch_2.2.0,215,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-a-refresh-token,"To request a `refresh_token` that can be used to obtain a new access token after the current access token expires, add [the] `online_request` [scope that requests a refresh token that] … will be usable for as long as the end-user remains online.",SHALL,Client,,,,
751
+ hl7.fhir.uv.smart-app-launch_2.2.0,216,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#scopes-for-requesting-a-refresh-token,"To request a `refresh_token` that can be used to obtain a new access token after the current access token expires, add [the] `offline_access`[Scope that requests a refresh token] … that will remain usable for as long as the authorization server and end-user will allow, regardless of whether the end-user is online.",SHALL,Client,,,,
752
+ hl7.fhir.uv.smart-app-launch_2.2.0,217,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#extensibility,"additional context parameters and scopes … [defined by the server and] used as extensions … [SHOULD use] the following namespace conventions _use a full URI that you control (e.g., http://example.com/scope-name) [or] _use any string starting with `__` (two underscores)",SHOULD,Server,,,,
753
+ hl7.fhir.uv.smart-app-launch_2.2.0,218,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#steps-for-using-an-id-token,"[to use and ID token, Apps SHALL]
754
+ 1. Examine the ID token for its “issuer” property
755
+ 2.Perform a `GET {issuer}/.well-known/openid-configuration`
756
+ 3.Fetch the server’s JSON Web Key by following the “jwks_uri” property [from the retrieved `openid-configuration`]
757
+ 4. Validate the token’s signature against the public key [retrieved from the ""jwks_uri"" location in the token's `openid-configuration`]
758
+ 5.Extract the fhirUser claim [from the verified token] and treat it as the URL of a FHIR resource",SHALL,Client,,,,
759
+ hl7.fhir.uv.smart-app-launch_2.2.0,219,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#appendix-uri-representation-of-scopes,"When URI representations are required, the SMART scopes SHALL be prefixed with `http://smarthealthit.org/fhir/scopes/`, so that a `patient/*.r` scope would be `http://smarthealthit.org/fhir/scopes/patient/*.r`",SHALL,Client,,,,
760
+ hl7.fhir.uv.smart-app-launch_2.2.0,220,https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html#appendix-uri-representation-of-scopes,"To represent OpenID scopes as URIs, the prefix `http://openid.net/specs/openid-connect-core-1_0#` SHALL be used.",SHALL,Client,,,,
761
+ hl7.fhir.uv.smart-app-launch_2.2.0,221,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#use-this-profile-when-the-following-conditions-all-apply,[Clients SHALL] use [the Backend Services] profile when... The target FHIR authorization server can register the client and pre-authorize access to a defined set of FHIR resources.,DEPRECATED,Client,,,,
762
+ hl7.fhir.uv.smart-app-launch_2.2.0,222,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#use-this-profile-when-the-following-conditions-all-apply,"[Clients SHALL] use [the Backend Services] profile when... The client may run autonomously, or with user interaction that does not include access authorization.",DEPRECATED,Client,,,,
763
+ hl7.fhir.uv.smart-app-launch_2.2.0,223,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#use-this-profile-when-the-following-conditions-all-apply,[Clients SHALL] use [the Backend Services] profile when...The client supports `client-confidential-asymmetric` [authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html),DEPRECATED,Client,,,,
764
+ hl7.fhir.uv.smart-app-launch_2.2.0,224,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#use-this-profile-when-the-following-conditions-all-apply,[Clients SHALL] use [the Backend Services] profile when... No compelling need exists for a user to authorize the access at runtime.,DEPRECATED,Client,,,,
765
+ hl7.fhir.uv.smart-app-launch_2.2.0,225,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#register-smart-backend-service-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL register with the server by following the [registration steps described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys).",SHALL,Client,,,,
766
+ hl7.fhir.uv.smart-app-launch_2.2.0,226,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#retrieve-well-knownsmart-configuration,"[T]he app [SHALL discover] the EHR FHIR server’s SMART configuration metadata, including OAuth token endpoint URL",SHALL,Client,,,,
767
+ hl7.fhir.uv.smart-app-launch_2.2.0,227,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request,The app [SHALL issue] an HTTP GET with an `Accept` header supporting `application/json` to retrieve the SMART configuration file [from [base]/.well-known/smart-configuration],SHALL,Client,,,,
768
+ hl7.fhir.uv.smart-app-launch_2.2.0,228,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response,Servers [SHALL] respond [to requests to [base]/.well-known/smart-configuration] with a discovery response that meets [discovery requirements described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#discovery-requirements). [from [base]/.well-known/smart-configuration],SHALL,Server,,,,
769
+ hl7.fhir.uv.smart-app-launch_2.2.0,229,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#obtain-access-token,Use of the client credentials grant type requires that the client SHALL be a “confidential” client capable of protecting its authentication credential.,SHALL,Client,,,,
770
+ hl7.fhir.uv.smart-app-launch_2.2.0,230,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,"To begin the exchange, the client SHALL use the [Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)](https://tools.ietf.org/html/rfc5246) or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the FHIR authorization server’s token endpoint.",SHALL,Client,,,,
771
+ hl7.fhir.uv.smart-app-launch_2.2.0,231,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,All exchanges described herein between the client and the FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS .,SHALL,Server,,,,
772
+ hl7.fhir.uv.smart-app-launch_2.2.0,232,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,All exchanges described herein between the client and the FHIR server SHALL be secured using TLS V1.2 or a more recent version of TLS .,SHALL,Client,,,,
773
+ hl7.fhir.uv.smart-app-launch_2.2.0,233,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,"Before a client can request an access token, it [SHALL] generates a one-time-use authentication JWT [as described in `client-confidential-asymmetric` authentication](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint)",SHALL,Client,,,,
774
+ hl7.fhir.uv.smart-app-launch_2.2.0,234,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,"After generating this authentication JWT, the client requests an access token via HTTP `POST` to the FHIR authorization server’s token endpoint URL, using content-type `application/x-www-form-urlencoded`",SHALL,Client,,,,
775
+ hl7.fhir.uv.smart-app-launch_2.2.0,235,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[When requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `scope` [parameter is] `required` [and SHALL contain] … the scope of access requested ... following the [SMART Scopes syntax](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html),SHALL,Client,,,,
776
+ hl7.fhir.uv.smart-app-launch_2.2.0,236,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `grant_type` [parameter is] `required` [and SHALL contain the] … Fixed value: `client_credentials`,SHALL,Client,,,,
777
+ hl7.fhir.uv.smart-app-launch_2.2.0,237,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `client_assertion_type` [parameter is] `required` [and SHALL contain] … Fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,
778
+ hl7.fhir.uv.smart-app-launch_2.2.0,238,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-1,[when requesting] an access token via HTTP POST to the FHIR authorization server’s token endpoint URL [the] `client_assertion` [parameter is] `required` [and SHALL contain] … [the s]igned authentication JWT value,SHALL,Client,,,,
779
+ hl7.fhir.uv.smart-app-launch_2.2.0,239,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"For Backend Services, requested scopes will be `system/` scopes",SHOULD,Client,,,,
780
+ hl7.fhir.uv.smart-app-launch_2.2.0,240,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"The client is pre-authorized by the server. In other words, by the time a client initiates an access token request, the server has already associated the client with the authority to access certain data.",SHALL,Server,,,,
781
+ hl7.fhir.uv.smart-app-launch_2.2.0,241,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"The client then includes a set of scopes in the access token request [`scope` parameter], which the server … [SHALL] apply [as] additional access restrictions following the SMART Scopes syntax.",SHALL,Server,,,,
782
+ hl7.fhir.uv.smart-app-launch_2.2.0,242,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#scopes,"The use of Backend Services with user/ and patient/ scopes is not prohibited, but would require out-of-band coordination to establish context (e.g., to establish which user or patient applies).",MAY,Client,,,,
783
+ hl7.fhir.uv.smart-app-launch_2.2.0,243,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that it is not authorized to see (e.g., a client asks for Observation resources but has scopes that only permit access to Patient resources) …a server SHOULD respond with a failure to the initial request.",SHOULD,Server,,,,
784
+ hl7.fhir.uv.smart-app-launch_2.2.0,244,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that the server does not support (e.g., a client asks for Practitioner resources but the server does not support FHIR access to Practitioner data) ... a server SHOULD respond with a failure to the initial request.",SHOULD,Server,,,,
785
+ hl7.fhir.uv.smart-app-launch_2.2.0,245,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a] Client explicitly asks for data that the server supports and that appears consistent with its access scopes – but some additional out-of-band rules/policies/restrictions prevents the client from being authorized to see these data... the server MAY withhold certain results from the response, and MAY indicate to the client that results were withheld by including OperationOutcome information in the “error” array for the response as a partial success.",MAY,Server,,,,
786
+ hl7.fhir.uv.smart-app-launch_2.2.0,246,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"[When a server does not return data that the clien's scopes indicate it has access to, it] MAY indicate to the client that results were withheld by including OperationOutcome information in the “error” array for the response as a partial success.",MAY,Server,,,,
787
+ hl7.fhir.uv.smart-app-launch_2.2.0,247,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,"Rules regarding circumstances under which a client is required to obtain and present an access token along with a request are based on risk-management decisions that each FHIR resource service needs to [(SHALL)] make, considering the workflows involved, perceived risks, and the organization’s risk-management policies.",SHALL,Server,,,,
788
+ hl7.fhir.uv.smart-app-launch_2.2.0,248,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#enforce-authorization,Refresh tokens SHOULD NOT be issued.,SHOULD NOT,Server,,,,
789
+ hl7.fhir.uv.smart-app-launch_2.2.0,249,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#validate-authentication-jws,The FHIR authorization server [SHALL validate] a client’s authentication JWT according to the client-confidential-asymmetric authentication profile … [per the] [JWT validation rules](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification).,SHALL,Server,,,,
790
+ hl7.fhir.uv.smart-app-launch_2.2.0,250,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#evaluate-requested-access,"Once the client has been authenticated, the FHIR authorization server SHALL mediate the request to assure that the scope requested is within the scope pre-authorized to the client.",SHALL,Server,,,,
791
+ hl7.fhir.uv.smart-app-launch_2.2.0,251,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"If an error is encountered during the authorization process, the FHIR authorization server SHALL respond with the appropriate error message defined in [Section 5.2 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#page-45)",SHALL,Server,,,,
792
+ hl7.fhir.uv.smart-app-launch_2.2.0,252,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"If an error is encountered during the authorization process, [t]he FHIR authorization server SHOULD include an `error_uri` or `error_description` as defined in OAuth 2.0.",SHOULD,Server,,,,
793
+ hl7.fhir.uv.smart-app-launch_2.2.0,253,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"If the access token request is valid and authorized, the FHIR authorization server SHALL issue an access token in response.",SHALL,Server,,,,
794
+ hl7.fhir.uv.smart-app-launch_2.2.0,254,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `access_token` [parameter is] `required` [and] SHALL [contain] The access token issued by the FHIR authorization server.,SHALL,Server,,,,
795
+ hl7.fhir.uv.smart-app-launch_2.2.0,255,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `token_type` [parameter is] `required` [and] SHALL [contain] Fixed value: bearer.,SHALL,Server,,,,
796
+ hl7.fhir.uv.smart-app-launch_2.2.0,256,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `expires_in` [parameter is] `required` [and] SHALL [contain] The lifetime in seconds of the access token.,SHALL,Server,,,,
797
+ hl7.fhir.uv.smart-app-launch_2.2.0,257,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"[When responding with an access token t]he recommended value [for the `expires_in` parameter] is 300, for a five-minute token lifetime.",SHOULD,Server,,,,
798
+ hl7.fhir.uv.smart-app-launch_2.2.0,258,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `scope` [parameter is] `required` [and] SHALL [contain s]cope of access authorized.,SHALL,Server,,,,
799
+ hl7.fhir.uv.smart-app-launch_2.2.0,259,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token t]he `scope` [parameter value] can be different from the scopes requested by the app.,SHALL,Server,,,,
800
+ hl7.fhir.uv.smart-app-launch_2.2.0,260,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"to minimize risks associated with token redirection, the scope of each access token SHOULD encompass, and be limited to, the resources requested",SHOULD,Server,,,,
801
+ hl7.fhir.uv.smart-app-launch_2.2.0,261,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,[When responding with an access token a]ccess tokens issued under this [backed services] profile SHALL be short-lived,SHALL,Server,,,,
802
+ hl7.fhir.uv.smart-app-launch_2.2.0,262,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"[When responding with an access token t]he `expires_in` value SHOULD NOT exceed 300, which represents an expiration-time of five minutes.",SHOULD NOT,Server,,,,
803
+ hl7.fhir.uv.smart-app-launch_2.2.0,263,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#issue-access-token,"To establish longer-term access [using backend services given the short-lived duration of access tokens], clients can request new access tokens as needed.",SHOULD,Client,,,,
804
+ hl7.fhir.uv.smart-app-launch_2.2.0,264,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#request-2,The app [SHALL issue] a request [for FHIR data[ that includes an Authorization header that presents the access_token as a “Bearer” token: `Authorization: Bearer {{access_token}}`,SHALL,Client,,,,
805
+ hl7.fhir.uv.smart-app-launch_2.2.0,265,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,The resource server SHALL validate the access token and ensure that it has not expired,SHALL,Server,,,,
806
+ hl7.fhir.uv.smart-app-launch_2.2.0,266,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,The resource server SHALL validate the access token and ensure … that its scope covers the requested resource,SHALL,Server,,,,
807
+ hl7.fhir.uv.smart-app-launch_2.2.0,267,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,"On occasion, a Backend Service [client] may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server. The Backend Service [client] SHOULD NOT blindly follow such references and send along its access_token, as the token may be subject to potential theft",SHOULD NOT,Client,,,,
808
+ hl7.fhir.uv.smart-app-launch_2.2.0,268,https://hl7.org/fhir/smart-app-launch/STU2.2/backend-services.html#response-2,"On occasion, a Backend Service may receive a FHIR resource that contains a “reference” to a resource hosted on a different resource server… The Backend Service [client] SHOULD either ignore the reference, or initiate a new request for access to that resource.",SHOULD,Client,,,,
809
+ hl7.fhir.uv.smart-app-launch_2.2.0,269,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,"SMART on FHIR EHRs SHOULD support Token Introspection, which allows a broader ecosystem of resource servers to leverage authorization decisions managed by a single authorization server.",SHOULD,Server,,,,
810
+ hl7.fhir.uv.smart-app-launch_2.2.0,270,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,Token Introspection is conducted [and clients SHALL make requests] according to [RFC 7662: OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662),SHALL,Client,,,,
811
+ hl7.fhir.uv.smart-app-launch_2.2.0,271,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#token-introspection,Token Introspection is conducted [and servers SHALL respond] according to [RFC 7662: OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662),SHALL,Server,,,,
812
+ hl7.fhir.uv.smart-app-launch_2.2.0,272,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,"In the introspection response… the `active` field [is] required by RFC7662 (a boolean indicating whether the access token is active),",SHALL,Server,,,,
813
+ hl7.fhir.uv.smart-app-launch_2.2.0,273,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the `scope` [field a]s included in the original access token response,SHALL,Server,,,,
814
+ hl7.fhir.uv.smart-app-launch_2.2.0,274,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the `client_id`[field a]s included in the original access token response,SHALL,Server,,,,
815
+ hl7.fhir.uv.smart-app-launch_2.2.0,275,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the... `exp`[field] … [will be t]he integer timestamp indicates when the access token expires.,SHALL,Server,,,,
816
+ hl7.fhir.uv.smart-app-launch_2.2.0,276,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#required-fields-in-the-introspection-response,[T]he following fields SHALL be included in the introspection response:… the... `exp`[field] … will be consistent the with `expires_in` interval provided in the original access token response.,SHALL,Server,,,,
817
+ hl7.fhir.uv.smart-app-launch_2.2.0,277,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If a launch context parameter defined in [Scopes and Launch Context](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html) (e.g., `patient` or `intent`) was included in the original access token response, the parameter SHALL be included in the token introspection response.",SHALL,Server,,,,
818
+ hl7.fhir.uv.smart-app-launch_2.2.0,278,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the … [`iss`] claims from the ID Token SHALL be included in the Token Introspection response",SHALL,Server,,,,
819
+ hl7.fhir.uv.smart-app-launch_2.2.0,279,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the … [`sub`] claims from the ID Token SHALL be included in the Token Introspection response",SHALL,Server,,,,
820
+ hl7.fhir.uv.smart-app-launch_2.2.0,280,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#conditional-fields-in-the-introspection-response,"If an id_token was included in the original access token response, the [`fhirsuer`]... claims from the ID Token SHOULD be included in the Token Introspection response",SHOULD,Server,,,,
821
+ hl7.fhir.uv.smart-app-launch_2.2.0,281,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,SMART on FHIR EHRs MAY implement access control protecting the Token Introspection endpoint.,MAY,Server,,,,
822
+ hl7.fhir.uv.smart-app-launch_2.2.0,282,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,"If access control is implemented [on the token introspection endpoint], any client authorized to issue Token Introspection API calls SHALL be permitted to authenticate to the Token Introspection endpoint by providing an appropriately-scoped SMART App or SMART Backend Service bearer token in the Authorization header.",SHALL,Server,,,,
823
+ hl7.fhir.uv.smart-app-launch_2.2.0,283,https://hl7.org/fhir/smart-app-launch/STU2.2/token-introspection.html#authorization-to-perform-token-introspection,Clients authorized in this way [to acess an access-controlled token introspection endpoint] are [(SHALL be)] able to introspect tokens issued to any client,SHALL,Server,,,,
824
+ hl7.fhir.uv.smart-app-launch_2.2.0,284,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#use-this-profile-when-the-following-conditions-apply,"[Clients SHALL] Use [the Asymmetric porfile] when… The target FHIR authorization server supports SMART’s `client-confidential-asymmetric` capability, The client can manage asymmetric keys for authentication, [and] the client is able to protect a private key",DEPRECATED,Client,,,,
825
+ hl7.fhir.uv.smart-app-launch_2.2.0,285,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,[A] server [SHALL advertise] its support for SMART Confidential Clients with Asymmetric Keys by including the `client-confidential-asymmetric` capability at is `.well-known/smart-configuration` endpoint;,SHALL,Server,,,,
826
+ hl7.fhir.uv.smart-app-launch_2.2.0,286,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `token_endpoint`,",SHALL,Server,,,,
827
+ hl7.fhir.uv.smart-app-launch_2.2.0,287,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `scopes_supported`,",SHALL,Server,,,,
828
+ hl7.fhir.uv.smart-app-launch_2.2.0,288,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ...`token_endpoint_auth_methods_supported` (with values that include `private_key_jwt`),SHALL,Server,,,,
829
+ hl7.fhir.uv.smart-app-launch_2.2.0,289,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#advertising-server-support-for-this-profile,"[When supporting the `client-confidential-asymmetric`capability a server's .well-known/smart-configuration`] configuration properties [SHALL] include ... `token_endpoint_auth_signing_alg_values_supported` (with values that include at least one of `RS384`, `ES384`).",SHALL,Server,,,,
830
+ hl7.fhir.uv.smart-app-launch_2.2.0,290,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL generate or obtain an asymmetric key pair",SHALL,Client,,,,
831
+ hl7.fhir.uv.smart-app-launch_2.2.0,291,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Before a SMART client can run against a FHIR server, the client SHALL ... register its public key set with that FHIR server’s authorization service (referred to below as the “FHIR authorization server”).",SHALL,Client,,,,
832
+ hl7.fhir.uv.smart-app-launch_2.2.0,292,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"SMART does not require a standards-based registration process, but we encourage FHIR service implementers to consider using the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg)",SHOULD,Client,,,,
833
+ hl7.fhir.uv.smart-app-launch_2.2.0,293,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[Before using the `client-confidential-asymmetric`capability t]he client SHALL register the **public key** that the client will use to authenticate itself to the FHIR authorization server.,SHALL,Client,,,,
834
+ hl7.fhir.uv.smart-app-launch_2.2.0,294,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering a public key for the `client-confidential-asymmetric`capability t]he public key SHALL be conveyed to the FHIR authorization server in a [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) structure presented within a JWK Set, as defined in JSON Web Key Set (JWKS).",SHALL,Client,,,,
835
+ hl7.fhir.uv.smart-app-launch_2.2.0,295,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL protect the associated private key [for the `client-confidential-asymmetric`capability] from unauthorized disclosure and corruption.,SHALL,Client,,,,
836
+ hl7.fhir.uv.smart-app-launch_2.2.0,296,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[When registering clients to use the `client-confidential-asymmetric`capability] FHIR authorization servers SHALL support registration of client JWKs using … URL to JWK set,SHALL,Server,,,,
837
+ hl7.fhir.uv.smart-app-launch_2.2.0,297,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[When registering clients to use the `client-confidential-asymmetric`capability] FHIR authorization servers SHALL support registration of client JWKs using ... JWK Set directly,SHALL,Server,,,,
838
+ hl7.fhir.uv.smart-app-launch_2.2.0,298,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,clients SHALL choose a server-supported method [for communicating their JWKs] at registration time,SHALL,Client,,,,
839
+ hl7.fhir.uv.smart-app-launch_2.2.0,299,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering their JWKs to a server for use in the `client-confidential-asymmetric`capability`, clients SHOULD send a] URL to JWK Set (strongly preferred).",SHOULD,Client,,,,
840
+ hl7.fhir.uv.smart-app-launch_2.2.0,300,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[When registering their JWKs to a server for use in the `client-confidential-asymmetric`capability`, clients MAY send the] JWK Set directly (strongly discouraged)",MAY,Client,,,,
841
+ hl7.fhir.uv.smart-app-launch_2.2.0,301,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[For the URL to JWK Set method, the value SHALL be] the TLS-protected endpoint where the client’s public JWK Set can be found",SHALL,Client,,,,
842
+ hl7.fhir.uv.smart-app-launch_2.2.0,302,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[For the URL to JWK Set method to register a JWK for use in the `client-confidential-asymmetric`capability`, the value] ... SHALL be accessible via TLS without client authentication or authorization",SHALL,Client,,,,
843
+ hl7.fhir.uv.smart-app-launch_2.2.0,303,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[For the URL to JWK Set method to register a JWK for use in the `client-confidential-asymmetric`capability` t]he client SHOULD return a “Cache-Control” header in its JWKS response,SHOULD,Client,,,,
844
+ hl7.fhir.uv.smart-app-launch_2.2.0,304,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"If a client cannot host the JWK Set at a TLS-protected URL [when registering a JWK for use in the `client-confidential-asymmetric`capability,] it MAY supply the JWK Set directly to the FHIR authorization server at registration time",MAY,Client,,,,
845
+ hl7.fhir.uv.smart-app-launch_2.2.0,305,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[if Client supplies JWK set directly to the FHIR authorization server during registration for the `client-confidential-asymmetric`capability,] the FHIR authorization server SHALL protect the JWK Set from corruption.",SHALL,Server,,,,
846
+ hl7.fhir.uv.smart-app-launch_2.2.0,306,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"[if Client supplies JWK set directly to the FHIR authorization server during registration fro the `client-confidential-asymmetric`capability,] the FHIR authorization server ... SHOULD remind the client to send an update whenever the key set changes.",SHOULD,Server,,,,
847
+ hl7.fhir.uv.smart-app-launch_2.2.0,307,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL be capable of generating a JSON Web Signature in accordance with [RFC7515](https://tools.ietf.org/html/rfc7515).,SHALL,Client,,,,
848
+ hl7.fhir.uv.smart-app-launch_2.2.0,308,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL support ... `RS384` … for the JSON Web Algorithm (JWA) header parameter as defined in [RFC7518](https://tools.ietf.org/html/rfc7518).,SHALL,Client,,,,
849
+ hl7.fhir.uv.smart-app-launch_2.2.0,309,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The client SHALL support ... `ES384` for the JSON Web Algorithm (JWA) header parameter as defined in [RFC7518](https://tools.ietf.org/html/rfc7518).,SHALL,Client,,,,
850
+ hl7.fhir.uv.smart-app-launch_2.2.0,310,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,The FHIR authorization server SHALL be capable of validating signatures with at least one of `RS384` or `ES384`.,SHALL,Server,,,,
851
+ hl7.fhir.uv.smart-app-launch_2.2.0,311,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,servers MAY support … additional algorithms for signature validation [when using the `client-confidential-asymmetric`capability].,MAY,Server,,,,
852
+ hl7.fhir.uv.smart-app-launch_2.2.0,312,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,clients ... MAY … use additional algorithms for signature validation [when using the `client-confidential-asymmetric`capability].,MAY,Client,,,,
853
+ hl7.fhir.uv.smart-app-launch_2.2.0,313,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"No matter how a JWK Set is communicated to the FHIR authorization server, each JWK SHALL represent an asymmetric key by including `kty` and `kid` properties, with content conveyed using “bare key” properties (i.e., direct base64 encoding of key material as integer values)",SHALL,Client,,,,
854
+ hl7.fhir.uv.smart-app-launch_2.2.0,314,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"For RSA public keys, each JWK SHALL include `n` and `e` values (modulus and exponent)",SHALL,Client,,,,
855
+ hl7.fhir.uv.smart-app-launch_2.2.0,315,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"For ECDSA public keys, each JWK SHALL include `crv`, `x`, and `y` values (curve, x-coordinate, and y-coordinate, for EC keys)",SHALL,Client,,,,
856
+ hl7.fhir.uv.smart-app-launch_2.2.0,316,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,"Upon registration, the client SHALL be assigned a `client_id`",SHALL,Server,,,,
857
+ hl7.fhir.uv.smart-app-launch_2.2.0,317,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#registering-a-client-communicating-public-keys,[T]he client SHALL use [their assigned `client_id`] when requesting an access token.,SHALL,Client,,,,
858
+ hl7.fhir.uv.smart-app-launch_2.2.0,318,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#authenticating-to-the-token-endpoint,"the client SHALL use the [Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)](https://tools.ietf.org/html/rfc5246) or a more recent version of TLS to authenticate the identity of the FHIR authorization server and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the FHIR authorization server’s token endpoint.",SHALL,Client,,,,
859
+ hl7.fhir.uv.smart-app-launch_2.2.0,319,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"Before a client can request an access token, it SHALL generate a one-time-use JSON Web Token (JWT) that will be used to authenticate the client to the FHIR authorization server.",SHALL,Client,,,,
860
+ hl7.fhir.uv.smart-app-launch_2.2.0,320,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,The authentication JWT … SHALL be signed with the client’s private key (which SHOULD be an `RS384` or `ES384` signature).,SHALL,Client,,,,
861
+ hl7.fhir.uv.smart-app-launch_2.2.0,321,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`alg`[Authentication JWT header value is] `required` [and SHALL contain t]he JWA algorithm (e.g., RS384, ES384) used for signing the authentication JWT.",SHALL,Client,,,,
862
+ hl7.fhir.uv.smart-app-launch_2.2.0,322,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`kid`[Authentication JWT header value is] `required` [and SHALL contain t]he identifier of the key-pair used to sign this JWT [which] SHALL be unique within the client's JWK Set.,SHALL,Client,,,,
863
+ hl7.fhir.uv.smart-app-launch_2.2.0,323,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`typ`[header value is] `required`[with] Fixed value: JWT.,SHALL,Client,,,,
864
+ hl7.fhir.uv.smart-app-launch_2.2.0,324,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`jku`[header value is] `optional` [and contains t]he TLS-protected URL to the JWK Set that contains the public key(s) accessible without authentication or authorization.,MAY,Client,,,,
865
+ hl7.fhir.uv.smart-app-launch_2.2.0,325,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"When [the `jku` Authentication JWT header value is] present, this SHALL match the JWKS URL value that the client supplied to the FHIR authorization server at client registration time.",SHALL,Client,,,,
866
+ hl7.fhir.uv.smart-app-launch_2.2.0,326,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"When [the `jku` Authentication JWT header value is] absent, the FHIR authorization server SHOULD fall back on the JWK Set URL or the JWK Set supplied at registration time.",SHOULD,Server,,,,
867
+ hl7.fhir.uv.smart-app-launch_2.2.0,327,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`iss`[claim is] `required`… [and] SHALL [contain the] Issuer of the JWT --the client's `client_id`, as determined during registration with the FHIR authorization server",SHALL,Client,,,,
868
+ hl7.fhir.uv.smart-app-launch_2.2.0,328,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`sub`[claim is] `required`… [and] SHALL [contain] The client's `client_id`, as determined during registration with the FHIR authorization server (note that this is the same as the value for the iss claim)",SHALL,Client,,,,
869
+ hl7.fhir.uv.smart-app-launch_2.2.0,329,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`aud`[claim is] `required`… [and] SHALL [contain] The FHIR authorization server's ""token URL"" (the same URL to which this authentication JWT will be posted)",SHALL,Client,,,,
870
+ hl7.fhir.uv.smart-app-launch_2.2.0,330,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,"[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`exp`[claim is] `required`… [and] SHALL [contain the] Expiration time integer for this authentication JWT, expressed in seconds since the ""Epoch"" (1970-01-01T00:00:00Z UTC). This time S",SHALL,Client,,,,
871
+ hl7.fhir.uv.smart-app-launch_2.2.0,331,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`exp`[claim] ... SHALL be no more than five minutes in the future.,SHALL,Client,,,,
872
+ hl7.fhir.uv.smart-app-launch_2.2.0,332,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When] a client generate[s] a one-time-use JSON Web Token (JWT)… [the]`jti`[claim is] `required`… [and] SHALL [contain a] nonce string value that uniquely identifies this authentication JWT,SHALL,Client,,,,
873
+ hl7.fhir.uv.smart-app-launch_2.2.0,333,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When the client requests an access token] … [the]`client_assertion_type`[parameter is] `required`… [and] SHALL [contain the] Fixed value: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,SHALL,Client,,,,
874
+ hl7.fhir.uv.smart-app-launch_2.2.0,334,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#request,[When the client requests an access token] … [the]`client_assertion`[parameter is] `required`… [and] SHALL [contain the] Signed authentication JWT value,SHALL,Client,,,,
875
+ hl7.fhir.uv.smart-app-launch_2.2.0,335,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,The FHIR authorization server SHALL validate the JWT according to the processing requirements defined in [Section 3 of RFC7523](https://tools.ietf.org/html/rfc7523#section-3) including validation of the signature on the JWT,SHALL,Server,,,,
876
+ hl7.fhir.uv.smart-app-launch_2.2.0,336,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,"The FHIR authorization server SHALL … check that the `jti` value has not been previously encountered for the given `iss` within the maximum allowed authentication JWT lifetime (e.g., 5 minutes). This check prevents replay attacks.",SHALL,Server,,,,
877
+ hl7.fhir.uv.smart-app-launch_2.2.0,337,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,The FHIR authorization server SHALL … ensure that the `client_id` provided is known and matches the JWT’s `iss` claim.,SHALL,Server,,,,
878
+ hl7.fhir.uv.smart-app-launch_2.2.0,338,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,"To resolve a key to verify signatures, a FHIR authorization server SHALL follow this algorithm:
879
+
880
+ 1. If the `jku` header is present, verify that the jku is whitelisted (i.e., that it matches the JWKS URL value supplied at registration time for the specified `client_id`).
881
+
882
+ a. If the jku header is not whitelisted, the signature verification fails.
883
+ b. If the jku header is whitelisted, create a set of potential keys by dereferencing the jku URL. Proceed to step 3.
884
+
885
+ 2. If the `jku` header is absent, create a set of potential key sources consisting of all keys found in the registration-time JWKS or found by dereferencing the registration-time JWK Set URL. Proceed to step 3.
886
+
887
+ 3. Identify a set of candidate keys by filtering the potential keys to identify the single key where the `kid` matches the value supplied in the client's JWT header, and the kty is consistent with the signature algorithm supplied in the client's JWT header (e.g., `RSA` for a JWT using an RSA-based signature, or `EC` for a JWT using an EC-based signature). If no keys match, or more than one key matches, the verification fails.
888
+
889
+ 4. Attempt to verify the JWK using the key identified in step 3.",SHALL,Server,,,,
890
+ hl7.fhir.uv.smart-app-launch_2.2.0,339,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#signature-verification,To retrieve the keys from a JWKS URL ... a FHIR authorization server [SHALL issue] a HTTP GET request for that URL to obtain a JWKS response.,SHALL,Server,,,,
891
+ hl7.fhir.uv.smart-app-launch_2.2.0,340,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,"If an error is encountered during the authentication process, the server SHALL respond with an `invalid_client error` as defined by the [OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#section-5.2).",SHALL,Server,,,,
892
+ hl7.fhir.uv.smart-app-launch_2.2.0,341,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,The FHIR authorization server SHALL NOT cache a JWKS for longer than the client’s cache-control header indicates.,SHALL NOT,Server,,,,
893
+ hl7.fhir.uv.smart-app-launch_2.2.0,342,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html#response,The FHIR authorization server SHOULD cache a client’s JWK Set according to the client’s cache-control header; it doesn’t need to retrieve it anew every time.,SHALL NOT,Server,,,,
894
+ hl7.fhir.uv.smart-app-launch_2.2.0,343,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#profile-audience-and-scope,SMART App Launch clients that can maintain a secret but cannot manage asymmetric keypairs [may use the] … SMART’s `client-confidential-symmetric` authentication mechanism. This profile is not intended for SMART Backend Services clients.,MAY,Client,,,,
895
+ hl7.fhir.uv.smart-app-launch_2.2.0,344,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#profile-audience-and-scope,This [ `client-confidential-symmetric`] profile is not intended for [severs to use with] SMART Backend Services clients.,SHALL NOT,Server,,,,
896
+ hl7.fhir.uv.smart-app-launch_2.2.0,345,https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html#authentication-using-a-client_secret,"If a client has registered for Client Password authentication (i.e., it possesses a client_secret that is also known to the EHR), the client authenticates by supplying an Authorization header with HTTP Basic authentication, where the username is the app’s client_id and the password is the app’s client_secret.",SHALL,Client,,,,
897
+ hl7.fhir.uv.smart-app-launch_2.2.0,346,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capability-sets,A SMART on FHIR server SHOULD support one or more Capability Sets.,SHOULD,Server,,,,
898
+ hl7.fhir.uv.smart-app-launch_2.2.0,347,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capability-sets,"External implementation guides MAY define additional capabilities to be discovered through this same mechanism. IGs published by HL7 MAY use simple strings to represent additional capabilities (e.g., example-new-capability); IGs published by other organizations SHALL use full URIs to represent additional capabilities (e.g., http://sdo.example.org/example-new-capability).",DEPRECATED,,,,,
899
+ hl7.fhir.uv.smart-app-launch_2.2.0,348,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Patient Access for Standalone Apps [Capability Set, a server SHALL support the following capabilities:]
900
+ 1. `launch-standalone`
901
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
902
+ 3. `context-standalone-patient`
903
+ 4. `permission-patient `",SHALL,Server,,,,
904
+ hl7.fhir.uv.smart-app-launch_2.2.0,349,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Patient Access for EHR Launch (i.e. from Portal) [Capability Set, a server SHALL support the following capabilities:]
905
+ 1.` launch-ehr`
906
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
907
+ 3.`context-ehr-patient`
908
+ 4. `permission-patient`",SHALL,Server,,,,
909
+ hl7.fhir.uv.smart-app-launch_2.2.0,350,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Clinician Access for Standalone [Capability Set, a server SHALL support the following capabilities:]
910
+ 1. `launch-standalone`
911
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
912
+ 3. `permission-user`
913
+ 4. `permission-patient `",SHALL,Server,,,,
914
+ hl7.fhir.uv.smart-app-launch_2.2.0,351,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#patient-access-for-standalone-apps,"[To support the ] Clinician Access for EHR Launch [Capability Set, a server SHALL support the following capabilities:]
915
+ 1. `launch-ehr`
916
+ 2. At least one of `client-public` or `client-confidential-symmetric`; and MAY support `client-confidential-asymmetric`
917
+ 3. `context-ehr-patient` support
918
+ 4. `context-ehr-encounter` support
919
+ 5. `permission-user
920
+ 6. `permission-patient `",SHALL,Server,,,,
921
+ hl7.fhir.uv.smart-app-launch_2.2.0,352,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `launch-ehr` [capability SHALL provide] support for SMART’s EHR Launch mode.,SHALL,Server,,,,
922
+ hl7.fhir.uv.smart-app-launch_2.2.0,353,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `launch-standalone` [capability SHALL provide] support for SMART’s Standalone Launch mode,SHALL,Server,,,,
923
+ hl7.fhir.uv.smart-app-launch_2.2.0,354,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `authorize-post` [capability SHALL provide] support for POST-based authorization,SHALL,Server,,,,
924
+ hl7.fhir.uv.smart-app-launch_2.2.0,355,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-public` [capability SHALL provide] support for SMART’s public client profile (no client authentication).,SHALL,Server,,,,
925
+ hl7.fhir.uv.smart-app-launch_2.2.0,356,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-confidential-symmetric` [capability SHALL provide] support for SMART’s symmetric confidential client profile (“client secret” authentication). See [Client Authentication: Symmetric](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-symmetric.html),SHALL,Server,,,,
926
+ hl7.fhir.uv.smart-app-launch_2.2.0,357,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `client-confidential-asymmetric` [capability SHALL provide] support for SMART’s asymmetric confidential client profile (“JWT authentication”). See [Client Authentication: Asymmetric](https://hl7.org/fhir/smart-app-launch/STU2.2/client-confidential-asymmetric.html).,SHALL,Server,,,,
927
+ hl7.fhir.uv.smart-app-launch_2.2.0,358,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `sso-openid-connect` [capability SHALL provide] support for SMART’s OpenID Connect profile,SHALL,Server,,,,
928
+ hl7.fhir.uv.smart-app-launch_2.2.0,359,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `context-banner` [capability SHALL provide] support for “need patient banner” launch context (conveyed via need_patient_banner token parameter).,SHALL,Server,,,,
929
+ hl7.fhir.uv.smart-app-launch_2.2.0,360,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `context-style` [capability SHALL provide] support for `SMART style URL` launch context (conveyed via smart_style_url token parameter). This capability is deemed experimental.,SHALL,Server,,,,
930
+ hl7.fhir.uv.smart-app-launch_2.2.0,361,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-ehr-patient` [capability SHALL provide] support for patient-level launch context (requested by `launch/patient` scope, conveyed via patient token parameter)",SHALL,Server,,,,
931
+ hl7.fhir.uv.smart-app-launch_2.2.0,362,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-ehr-encounter` [capability SHALL provide] support for encounter-level launch context (requested by `launch/encounter` scope, conveyed via `encounter` token parameter)",SHALL,Server,,,,
932
+ hl7.fhir.uv.smart-app-launch_2.2.0,363,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-standalone-patient` [capability SHALL provide] support for patient-level launch context (requested by `launch/patient` scope, conveyed via` patient` token parameter)",SHALL,Server,,,,
933
+ hl7.fhir.uv.smart-app-launch_2.2.0,364,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `context-standalone-encounter` [capability SHALL provide] support for encounter-level launch context (requested by `launch/encounter` scope, conveyed via `encounter` token parameter)",SHALL,Server,,,,
934
+ hl7.fhir.uv.smart-app-launch_2.2.0,365,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `permission-offline` [capability SHALL provide] support for “offline” refresh tokens (requested by `offline_access` scope),SHALL,Server,,,,
935
+ hl7.fhir.uv.smart-app-launch_2.2.0,366,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-online` [capability SHALL provide] support for “online” refresh tokens requested during EHR Launch (requested by `online_access` scope). This capability is deemed experimental, providing the input to a scope negotiation that could result in granting an online or offline refresh token (see [Scopes and Launch Context](https://hl7.org/fhir/smart-app-launch/STU2.2/scopes-and-launch-context.html)).",SHALL,Server,,,,
936
+ hl7.fhir.uv.smart-app-launch_2.2.0,367,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-patient` [capability SHALL provide] support for patient-level scopes (e.g., `patient/Observation.rs`)",SHALL,Server,,,,
937
+ hl7.fhir.uv.smart-app-launch_2.2.0,368,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-user` [capability SHALL provide] support for user-level scopes (e.g., `user/Appointment.rs`)",SHALL,Server,,,,
938
+ hl7.fhir.uv.smart-app-launch_2.2.0,369,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-v1` [capability SHALL provide] support for SMARTv1 scope syntax (e.g., patient/Observation.read)",SHALL,Server,,,,
939
+ hl7.fhir.uv.smart-app-launch_2.2.0,370,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,"[Servers listing the] `permission-v2` [capability SHALL provide] support for SMARTv2 granular scope syntax (e.g., `patient/Observation.rs?category=http://terminology.hl7.org/CodeSystem/observation-category|vital-signs`)",SHALL,Server,,,,
940
+ hl7.fhir.uv.smart-app-launch_2.2.0,371,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#capabilities,[Servers listing the] `smart-app-state` [capability SHALL provide] support for managing [SMART App State](https://hl7.org/fhir/smart-app-launch/STU2.2/app-state.html).,SHALL,Server,,,,
941
+ hl7.fhir.uv.smart-app-launch_2.2.0,372,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,FHIR endpoints requiring authorization SHALL serve a JSON document at the location formed by appending `/.well-known/smart-configuration` to their base URL.,SHALL,Server,,,,
942
+ hl7.fhir.uv.smart-app-launch_2.2.0,373,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"The server SHALL convey the FHIR OAuth authorization endpoints and any optional SMART Capabilities it supports using this “Well-Known Uniform Resource Identifiers (URIs)” JSON document (see [RFC5785](https://datatracker.ietf.org/doc/html/rfc5785)). Contrary to RFC5785 Appendix B.4, the `.well-known` path component may be appended even if the FHIR endpoint already contains a path component",SHALL,Server,,,,
943
+ hl7.fhir.uv.smart-app-launch_2.2.0,374,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"Responses for `/.well-known/smart-configuration` requests SHALL be JSON, regardless of `Accept` headers provided in the request.",SHALL,Server,,,,
944
+ hl7.fhir.uv.smart-app-launch_2.2.0,375,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[C]lients MAY omit an `Accept` header [when requesting the `/.well-known/smart-configuration`],MAY,Client,,,,
945
+ hl7.fhir.uv.smart-app-launch_2.2.0,376,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] servers MAY ignore any client-supplied Accept headers,MAY,Server,,,,
946
+ hl7.fhir.uv.smart-app-launch_2.2.0,377,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] servers SHALL respond with application/json,SHALL,Server,,,,
947
+ hl7.fhir.uv.smart-app-launch_2.2.0,378,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,[In responses for `/.well-known/smart-configuration` requests] All endpoint URLs in the response document SHALL be absolute URLs.,SHALL,Server,,,,
948
+ hl7.fhir.uv.smart-app-launch_2.2.0,379,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#using-well-known,"Clients encountering relative endpoint URLs (e.g., in the context of legacy or non-conformant servers) SHOULD evaluate them relative to the FHIR Server Base URL following [RFC1808](https://datatracker.ietf.org/doc/html/rfc1808#section-4).",SHALL,Client,,,,
949
+ hl7.fhir.uv.smart-app-launch_2.2.0,380,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#response,A JSON document must be returned using the `application/json`mime type.,SHALL,Server,,,,
950
+ hl7.fhir.uv.smart-app-launch_2.2.0,381,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if the server’s capabilities include `sso-openid-connect`[the] ..Metadata`issuer`[is] required ... [and SHALL contain the] String conveying this system’s OpenID Connect Issuer URL,SHALL,Server,,,,
951
+ hl7.fhir.uv.smart-app-launch_2.2.0,382,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if the server’s capabilities include `sso-openid-connect`[the] ...Metadata ...`jwks_uri`[is] required [and Shall contain the] string conveying this system’s JSON Web Key Set URL,SHALL,Server,,,,
952
+ hl7.fhir.uv.smart-app-launch_2.2.0,383,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request] if server supports the `launch-ehr` or `launch-standalone` capability [the] ...Metadata ...`authorization_endpoint`[is] required … [and Shall contain the] URL to the OAuth2 authorization endpoint,SHALL,Server,,,,
953
+ hl7.fhir.uv.smart-app-launch_2.2.0,384,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`grant_types_supported`[is] required … [and Shall contain the] Array of grant types supported at the token endpoint. The options are “authorization_code” (when SMART App Launch is supported) and “client_credentials” (when SMART Backend Services is supported).,SHALL,Server,,,,
954
+ hl7.fhir.uv.smart-app-launch_2.2.0,385,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`token_endpoint`[is] required … [and Shall contain the] URL to the OAuth2 token endpoint.,SHALL,Server,,,,
955
+ hl7.fhir.uv.smart-app-launch_2.2.0,386,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`token_endpoint_auth_methods_supported`[is] OPTIONAL … [and Shall contain the] array of client authentication methods supported by the token endpoint. The options are “client_secret_post”, “client_secret_basic”, and “private_key_jwt”.",MAY,Server,,,,
956
+ hl7.fhir.uv.smart-app-launch_2.2.0,387,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`user_access_brand_bundle`[is] RECOMMENDED … [and Shall contain the] URL for a Brand Bundle. See User [Access Brands](https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html).,SHOULD,Server,,,,
957
+ hl7.fhir.uv.smart-app-launch_2.2.0,388,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`user_access_brand_identifier`[is] RECOMMENDED … [and Shall contain the] Identifier for the primary entry in a Brand Bundle. See User [Access Brands](https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html).,SHOULD,Server,,,,
958
+ hl7.fhir.uv.smart-app-launch_2.2.0,389,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`scopes_supported`[is] RECOMMENDED … [and Shall contain the] Array of scopes a client may request. See [scopes and launch context]. The server SHALL support all scopes listed here; additional scopes MAY be supported (so clients should not consider this an exhaustive list).,SHOULD,Server,,,,
959
+ hl7.fhir.uv.smart-app-launch_2.2.0,390,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`response_types_supported`[is] RECOMMENDED … [and Shall contain the] URL where an end-user can view which applications currently have access to data and can make adjustments to these access rights.,SHOULD,Server,,,,
960
+ hl7.fhir.uv.smart-app-launch_2.2.0,391,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`introspection_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to a server’s introspection endpoint that can be used to validate a token.,SHOULD,Server,,,,
961
+ hl7.fhir.uv.smart-app-launch_2.2.0,392,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`revocation_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to a server’s revoke endpoint that can be used to revoke a token.,SHOULD,Server,,,,
962
+ hl7.fhir.uv.smart-app-launch_2.2.0,393,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`capabilities`[is] REQUIRED … [and Shall contain the] Array of strings representing SMART capabilities (e.g., `sso-openid-connect` or `launch-standalone`) that the server supports.",SHALL,Server,,,,
963
+ hl7.fhir.uv.smart-app-launch_2.2.0,394,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`code_challenge_methods_supported`[is] REQUIRED … [and Shall contain the] Array of PKCE code challenge methods supported. The `S256` method SHALL be included in this list, and the `plain` method SHALL NOT be included in this list.",SHALL,Server,,,,
964
+ hl7.fhir.uv.smart-app-launch_2.2.0,395,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization ...that wishes to appear as a branded entity in user-facing apps ... [is] RECOMMENDED to define an Organization identifier where `system` is `urn:ietf:rfc:3986` and `value` is the HTTPS URL for the brand’s primary web presence, omitting any “www.” prefix from the domain and omitting any path component",SHOULD,Server,,,,
965
+ hl7.fhir.uv.smart-app-launch_2.2.0,396,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
966
+ SHALL publish at least a “primary brand” that references each FHIR endpoint in the Brand Bundle",SHALL,Server,,,,
967
+ hl7.fhir.uv.smart-app-launch_2.2.0,397,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
968
+ SHOULD support the publication of a more detailed Brand hierarchy",SHOULD,Server,,,,
969
+ hl7.fhir.uv.smart-app-launch_2.2.0,398,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
970
+ SHALL populate `Bundle.timestamp` to advertise the timestamp of the last change to the contents",SHALL,Server,,,,
971
+ hl7.fhir.uv.smart-app-launch_2.2.0,399,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
972
+ SHOULD populate `Bundle.entry.resource.meta.lastUpdated` with a more detailed timestamp if the system tracks updates per Resource.",SHOULD,Server,,,,
973
+ hl7.fhir.uv.smart-app-launch_2.2.0,400,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle…
974
+ SHALL support Cross-Origin Resource Sharing (CORS) for all GET requests to the artifacts described in this guide.",SHALL,Server,,,,
975
+ hl7.fhir.uv.smart-app-launch_2.2.0,401,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
976
+ SHOULD include a weak `Etag` header in all Brand Bundle HTTP responses",SHOULD,Server,,,,
977
+ hl7.fhir.uv.smart-app-launch_2.2.0,402,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any organization hosting or enabling management of a User Access Brand Bundle...
978
+ SHALL allow Health Data Providers to manage all data elements marked “Must-Support” in the [“User Access Brand”](https://hl7.org/fhir/smart-app-launch/STU2.2/StructureDefinition-user-access-brand.html) and [“User Access Endpoint”](https://hl7.org/fhir/smart-app-launch/STU2.2/StructureDefinition-user-access-endpoint.html) profiles",SHALL,Server,,,,
979
+ hl7.fhir.uv.smart-app-launch_2.2.0,403,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… SHALL support customer-supplied Organization identifiers (`system` and `value`),SHALL,Server,,,,
980
+ hl7.fhir.uv.smart-app-launch_2.2.0,404,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… MAY provide a Data Absent Reason of `asked-declined` or `asked-unknown` in a Brand Bundle,MAY,Server,,,,
981
+ hl7.fhir.uv.smart-app-launch_2.2.0,405,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any organization hosting or enabling management of a User Access Brand Bundle… SHALL NOT use Data Absent Reasons other than `asked-declined` or `asked-unknown` in a Brand Bundle,SHALL NOT,Server,,,,
982
+ hl7.fhir.uv.smart-app-launch_2.2.0,406,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle. SHOULD include `user_access_brand_bundle` and `user_access_brand_identifier` properties in the SMART configuration JSON respons,SHOULD,Server,,,,
983
+ hl7.fhir.uv.smart-app-launch_2.2.0,407,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any SMART on FHIR server that supports discovery of a User Access Brand Bundle... When populating `user_access_brand_bundle`
984
+ SHOULD link to a Bundle that includes only Brands and Endpoints affiliated with the Health Data Provider responsible for this SMART on FHIR server",SHOULD,Server,,,,
985
+ hl7.fhir.uv.smart-app-launch_2.2.0,408,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_bundle` MAY link to a Bundle with Brands or Endpoints for additional Health Data Providers,MAY,Server,,,,
986
+ hl7.fhir.uv.smart-app-launch_2.2.0,409,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle... When populating `user_access_brand_bundle` SHALL populate `user_access_brand_identifier` in SMART configuration JSON response if the `user_access_brand_bundle` refers to a Bundle with multiple Brands.,SHALL,Server,,,,
987
+ hl7.fhir.uv.smart-app-launch_2.2.0,410,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,"Any SMART on FHIR server that supports discovery of a User Access Brand Bundle...
988
+ When populating `user_access_brand_identifier`SHALL include a` value`",SHALL,Server,,,,
989
+ hl7.fhir.uv.smart-app-launch_2.2.0,411,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_identifier`SHOULD include a system,SHOULD,Server,,,,
990
+ hl7.fhir.uv.smart-app-launch_2.2.0,412,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR server that supports discovery of a User Access Brand Bundle… When populating `user_access_brand_identifier`SHALL ensure this identifier matches exactly one `Organization.identifier` in the referenced Brand Bundle,SHALL,Server,,,,
991
+ hl7.fhir.uv.smart-app-launch_2.2.0,413,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHOULD provide an `If-None-Match` header in all Brand Bundle requests to avoid re-fetching data that have not changed,SHOULD,Client,,,,
992
+ hl7.fhir.uv.smart-app-launch_2.2.0,414,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHOULD cache Brand Bundle responses by Etag,SHOULD,Client,,,,
993
+ hl7.fhir.uv.smart-app-launch_2.2.0,415,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#conformance-overview,Any SMART on FHIR app that leverages a User Access Brand Bundle SHALL select FHIR resources linked from the `.well-known/smart-configuration` if they differ from the resources in a vendor-consolidated Brand Bundle,SHALL,Client,,,,
994
+ hl7.fhir.uv.smart-app-launch_2.2.0,416,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#fhir-profiles,"For fine-grained organizational management, apps SHALL select the FHIR resources linked from .well-known/smart-configuration if they differ from the resources in a vendor-consolidated Brand Bundle.",SHALL,Client,,,,
995
+ hl7.fhir.uv.smart-app-launch_2.2.0,417,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Vendors SHALL publish at least a “primary brand” for each endpoint and SHOULD support the publication of a more detailed Brand hierarchy.,SHALL,Server,,,,
996
+ hl7.fhir.uv.smart-app-launch_2.2.0,418,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Brand Bundles SHALL populate `Bundle.timestamp` to advertise the timestamp of the last change to the contents,SHALL,Server,,,,
997
+ hl7.fhir.uv.smart-app-launch_2.2.0,419,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#brand-bundle-profile,Brand Bundles SHOULD populate `Bundle.entry.resource.meta.lastUpdated` with a more detailed timestamp if the system tracks updates per Resource.,SHALL,Server,,,,
998
+ hl7.fhir.uv.smart-app-launch_2.2.0,420,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,Apps can use a Brand’s Organization.identifier element to merge content published in multiple sources.,MAY,Client,,,,
999
+ hl7.fhir.uv.smart-app-launch_2.2.0,421,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,EHRs SHALL support customer-supplied identifiers (`system` and `value`).,SHALL,Server,,,,
1000
+ hl7.fhir.uv.smart-app-launch_2.2.0,422,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#consistent-identifiers-for-organizations,"It is RECOMMENDED that each Brand include an identifier where `system` is `urn:ietf:rfc: 3986` (meaning the identifier is a URL) and `value` is the HTTPS URL for the Brand’s primary web presence, omitting any “www.” prefix from the domain and omitting any path component.",SHOULD,Server,,,,
1001
+ hl7.fhir.uv.smart-app-launch_2.2.0,423,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#managing-cross-origin-resource-sharing-cors-for-fhir-resources,Publishers SHALL support [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) for all GET requests to the artifacts described in this guide.,SHALL,Server,,,,
1002
+ hl7.fhir.uv.smart-app-launch_2.2.0,424,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Publishers SHOULD include a weak `Etag` header in all HTTP responses.,SHOULD,Server,,,,
1003
+ hl7.fhir.uv.smart-app-launch_2.2.0,425,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Clients SHOULD cache responses by Etag,SHOULD,Client,,,,
1004
+ hl7.fhir.uv.smart-app-launch_2.2.0,426,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#caching-brand-bundles,Clients SHOULD … provide an `If-None-Match` header in all requests to avoid re-fetching data that have not changed,SHOULD,Client,,,,
1005
+ hl7.fhir.uv.smart-app-launch_2.2.0,427,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,FHIR servers supporting this [User-access Brands and Endpoints] IG SHOULD include the… `user_access_brand_bundle` property [containing the] URL of a Brand Bundle… in the SMART configuration JSON response,SHOULD,Server,,,,
1006
+ hl7.fhir.uv.smart-app-launch_2.2.0,428,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,FHIR servers supporting this [User-access Brands and Endpoints] IG SHOULD include the… `user_access_brand_identifier` property [containing the] FHIR Identifier for this server’s primary Brand within the Bundle… in the SMART configuration JSON response,SHOULD,Server,,,,
1007
+ hl7.fhir.uv.smart-app-launch_2.2.0,429,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,Publishers SHALL populate this [`user_access_brand_identifier`] property if the referenced Brand Bundle includes more than one Brand.,SHOULD,Server,,,,
1008
+ hl7.fhir.uv.smart-app-launch_2.2.0,430,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"When present, this [`user_access_brand_identifier`] identifier SHALL consist of a value",SHALL,Server,,,,
1009
+ hl7.fhir.uv.smart-app-launch_2.2.0,431,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"When present, this [`user_access_brand_identifier`] identifier … SHOULD have a system.",SHALL,Server,,,,
1010
+ hl7.fhir.uv.smart-app-launch_2.2.0,432,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,The Brand Bundle SHALL include exactly one Brand with an Organization.identifier that matches the primary Brand identifier from SMART configuration JSON.,SHALL,Server,,,,
1011
+ hl7.fhir.uv.smart-app-launch_2.2.0,433,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,The Brand Bundle SHOULD include only the Brands and Endpoints associated with the SMART on FHIR server that links to the Bundle.,SHOULD,Server,,,,
1012
+ hl7.fhir.uv.smart-app-launch_2.2.0,434,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,"the Brand Bundle MAY have additional Brands or Endpoints (e.g., supporting a publication pattern where endpoints from a given vendor might point to a comprehensive, centralized vendor-managed list).",MAY,Server,,,,
1013
+ hl7.fhir.uv.smart-app-launch_2.2.0,435,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#metadata-in-well-knownsmart-configuration,Note that the presence of an Endpoint in the Brand Bundle does not provide an implicit authorization to access the Endpoint. Clients that require access to the data provided by the FHIR Endpoints in the Brand Bundle can use SMART Configuration metadata to determine authorization requirements.,MAY,Client,,,,
1014
+ hl7.fhir.uv.smart-app-launch_2.2.0,436,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#must-support-definition-ms-and-data-absent-reasons,User Access Brand profile elements labeled as “must support” mean publishers must provide a way for Brands to populate the value,SHALL,Server,,,,
1015
+ hl7.fhir.uv.smart-app-launch_2.2.0,437,https://hl7.org/fhir/smart-app-launch/STU2.2/brands.html#must-support-definition-ms-and-data-absent-reasons,"If the EHR has asked, but a Brand administrator has not supplied a value, the EHR MAY provide a [Data Absent Reason](http://hl7.org/fhir/StructureDefinition/data-absent-reason) of `asked-declined` or `asked-unknown`. The EHR SHALL NOT use other Data Absent Reasons.",MAY,Server,,,,
1016
+ hl7.fhir.uv.smart-app-launch_2.2.0,438,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`registration_endpoint`[is] RECOMMENDED … [and Shall contain the] URL to the OAuth2 dynamic registration endpoint for this FHIR server.,SHOULD,Server,,,,
1017
+ hl7.fhir.uv.smart-app-launch_2.2.0,439,https://hl7.org/fhir/smart-app-launch/STU2.2/conformance.html#metadata,"[When responding to a `/.well-known/smart-configuration` request the] ...Metadata ...`associated_endpoints`[is] RECOMMENDED … [and Shall contain an a]rray of objects for endpoints that share the same authorization mechanism as this FHIR endpoint, each with a “url” and “capabilities” array.",SHOULD,Server,,,,