This repository has been archived by the owner on Sep 20, 2024. It is now read-only.
SPA can access controlled data #29
Assignees
Labels
FHIR
FHIR use case
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
A single-page application (SPA) needs to access controlled data served from a FHIR server.
SPAs are vital because they are inexpensive to deploy and easy to develop. That means that graduate students and individual citizens can quickly develop applications for their areas of specialty and interest.
It might be acceptable to use OAuth etc., and require SPAs to use third-party servers like Okta or Auth0 because that is common in the corporate world. However, this should be a conscious decision because it presents a barrier to entry.
There should be a small number of access methods (ideally one) that an SPA will be required to implement to see controlled data across NCPI.
Example
The LHC FHIR Tools' Research Data Finder builds and downloads cohorts.
An aside about RAS w.r.t. this use case.
The current implementation of RAS falls short of ideal since it uses a modified OAuth flow that third-party providers do not support, so SPA creators must run servers for the sole purpose of enabling authentication. This limitation significantly raises the barrier to entry. However, as I understand the policy, NIH requires its ICs to support RAS (and I'm not sure NIH will permit other methods), so it may be the one method that NCPI selects.
The text was updated successfully, but these errors were encountered: