Best practices from FAPI

[jkiddo]

Consider which constraints/best practices should be incorporated from e.g. https://oauth.net/fapi/ and see if we can hit common gound.

[jkiddo]

Add to that: https://chat.fhir.org/#narrow/stream/179226-norway/topic/recommended.20use.20of.20SMART.20or.20FAPI

[jkiddo]

@christiangasser-lakeside have you had any time to give this a jab?

[jkiddo]

@christiangasser-lakeside ping?

[christiangasser-lakeside]

We are already discouraging to use of shared keys for client authentication in DK-Smart, but otherwise I wouldn't be cherry-picking from the FAPI specifications. One of the key strength of the FAPI profile is IMHO its formal security proof, which you don't get by only incorporating parts of the spec.
However, we could suggest in dk-smart that one might consider using the FAPI 2.0 security profile (which is to be finalized in Q4 2024) together with DK-Smart for deployments with high security requirements.

[jkiddo]

@christiangasser-lakeside any change that you can provide some feedback back to the community on https://chat.fhir.org/#narrow/channel/179170-smart/topic/FAPI.202.2E0/near/523299080 ?