View scope

Scope for the EPD Swiss CH:IUA profile

203 Assertions in Scope

Search Criteria

Id scheme
Assertion id
CH-IUACH-IUA-001The Token Introspection option of the IUA profile SHALL not be used.
CH-IUACH-IUA-002The IUA Authorization Server SHALL enforce authentication of the user by redirecting the mHealth App to the User Authentication Provider (Identity Provider) as described in Section 3.2.8.
CH-IUACH-IUA-003[ITI-103] At launch time the app may connect to the Authorization Server to retrieve the configuration data.
CH-IUACH-IUA-004[ITI-103] The Authorization Server responds with the configuration data and the Authorization Server endpoint the app shall direct the User Agent to.
CH-IUACH-IUA-005[ITI-103] The Authorization Client or Resource Server performs a HTTP GET request to the Authorization Server Well-Known URI.
CH-IUACH-IUA-006[ITI-103] The request SHALL neither use parameter nor body data.
CH-IUACH-IUA-007[ITI-103] The Authorization Server SHALL response with a HTTP response conveying a JSON formatted object as HTTP body element.
CH-IUACH-IUA-008[ITI-103] The JSON object SHALL convey "authorization_endpoint", "token_endpoint", "grant_types_supported", "capabilities", "issuer" and "jwks_uri".
CH-IUACH-IUA-009[ITI-103] The JSON object CAN convey "oken_endpoint_auth_methods", "registration_endpoint", "scopes_supported", "response_types_supported", "management_endpoint", "revocation_endpoint" and "access_token_format".
CH-IUACH-IUA-010[ITI-103] The Authorization Client or Resource Server MAY read the URL of the IUA Authorization Server and redirect the User Agent to the Authorization Server.
CH-IUACH-IUA-011[ITI-71] A mHealth App in the SMART Standalone Launch sequence SHALL perform the transaction first to get basic access to the Swiss EPR.
CH-IUACH-IUA-012[ITI-71] The IUA Authorization Server SHALL present a User Interface for the user to authenticate and provide user consent, or by validating against data stored at app registration time.
CH-IUACH-IUA-013[ITI-71] Once the mHealth App is authorized, it may launch other embedded mHealth Apps (or views) using the SMART EHR Launch Sequence.
CH-IUACH-IUA-014[ITI-71] If the mHealth App uses SMART EHR Launch Sequence, the embedded app inherits the basic access authorization from the launching app and may retrieve extended access token for EPR endpoints protected by the EPR role and attribute based authorization
CH-IUACH-IUA-015[ITI-71] HTTP conversation parameters SHALL be in accordance with Table 4 "Description of the HTTP conversation of the transaction".
CH-IUACH-IUA-016[ITI-71] HTTP request parameters SHALL be in accordance with Table 5 "Overview of the requests scope parameter".
CH-IUACH-IUA-017[ITI-71] The scope parameter of the request MAY claim launch, "purpose_of_use=token", "subject_role=token", "person_id=value" attributes
CH-IUACH-IUA-018[ITI-71] If launch attribute is present,the scope SHALL be used by all apps (or views) launched from a mHealth App which was authorized before.
CH-IUACH-IUA-019[ITI-71] If "purpose_of_use=token" attribute is present, the token SHALL convey the coded value of the current transactions purpose of use.
CH-IUACH-IUA-020[ITI-71] If "purpose_of_use=token" attribute is present, allowed values are NORM (normal access) and EMER (emergency access) from code system 2.16.756. of the CH:EPR value set. e.g. purpose_of_use=urn:oid:2.16.756.|NORM