1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. HEART

Wiki

Clone wiki

HEART / Glossary

View History

This page gathers definitions of the important terms used by the HEART specifications and related standards and profiles.

Additional terms:

  • SOAP

  • DSML

  • JWT

  • JSON

  • XML

  • REST

  • UMA RS

Health related:

  • FHIR

  • HPD

  • IHE

  • NPI

  • EHR / PHR / PGHD

access token
Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server. The token may denote an identifier used to retrieve the authorization information or may self-contain the authorization information in a verifiable manner (i.e., a token string consisting of some data and a signature). Additional authentication credentials, which are beyond the scope of this specification, may be required in order for the client to use a token. The access token provides an abstraction layer, replacing different authorization constructs (e.g., username and password) with a single token understood by the resource server. This abstraction enables issuing access tokens more restrictive than the authorization grant used to obtain them, as well as removing the resource server's need to understand a wide range of authentication methods. Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements.
authenticator
The means used to confirm the identity of a user, processor or device. Source: NIST SP 800-53 rev 4, based on information that NIST e-authentication guidance will be deprecating 'token' in favor of 'authenticator'.
authorization API token (AAT)
An OAuth access token with the scope uma_authorization, used by the client at the authorization API, consisting of the RPT endpoint. Ex: TBD
authorization data
Data associated with an RPT that enables some combination of the authorization server and resource server to determine the correct extent of access to allow to a client. Authorization data is a key part of the definition of an RPT profile. Ex: TBD.
authorization server
A server that issues authorization data and RPTs to a client and protects resources managed at a resource server. Ex: TBD.
authorization ticket
A correlation handle that is conveyed from an authorization server to a resource server, from a resource server to a client, and ultimately from a client back to an authorization server, to enable the authorization server to assess the correct policies to apply to a request for authorization data. Ex: tbd.
claim
A statement of the value or values of one or more identity attributes of a requesting party. Ex: A requesting party may need to provide claims to an authorization server in order to gain permission for access to a protected resource.
client
An application making protected resource requests with the resource owner's authorization and on the requesting party's behalf. Ex: The end-user may use a device as the client to access their data.
opt-in
to assent to the disclosure of health information. Ex: The patient reviewed the privacy policy and clicked the button to opt-in to the system.
opt-out
to dissent to disclosure of health information. Ex: The patient did not care for what she read in the privacy policy and decided to opt-out.
permission
A scope of access over a particular resource set at a particular resource server that is being requested by, or granted to, a requesting party. In authorization policy terminology, a permission is an entitlement that includes a "subject" (requesting party), "verbs" (one or more scopes of access), and an "object" (resource set). A permission is one example of authorization data. Ex: TBD.
permission registration endpoint
An endpoint at the authorization server that allows the resource server to request permission tickets. Ex: maybe include an example as well.
policy
The configuration parameters of an authorization server that effect resource access management. Authorization policies typically include elements similar to parts of speech; for example, "subjects" describe those seeking access (requesting parties and clients), "verbs" describe operational scopes of access, and "objects" describe targeted resource sets. Ex: Policy configuration is out of scope of the UMA Profile because policies are established by organizations rather than by SDOs.
protection API token (PAT)
An OAuth access token with the scope uma_protection, used by the resource server at the protection API, consisting of the resource set registration, permission registration, and token introspection endpoints. Ex: TBD
requesting party
An entity (end-user, corporation or other legal person), that uses a client to seek access to a protected resource. The requesting party may or may not be the same party as the resource owner. Ex: maybe include an example as well.
requesting party token (RPT)
An UMA access token associated with a set of authorization data, used by the client to gain access to protected resources at the resource server. Ex: maybe include an example as well.
resource owner
An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user. The resource owner is the "user" in User-Managed Access. This is typically an end-user but it can also be a corporation or other legal person. Example from RFC 6749: "an end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo-sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo-sharing service (authorization server), which issues the printing service delegation-specific credentials (access token)."
resource set
One or more protected resources to be abstractly managed by a resource server. Ex: The authorization policy identifies the resource set as the "object" being protected. resource set registration endpoint — (n.): An endpoint at the authorization server that allows the resource server to register resource sets. Ex: TBD.
RPT endpoint
An endpoint at the authorization server that issues RPTs and authorization data to the client. Ex: tbd
scope
A bounded extent of access that is possible to perform on a resource set. In authorization policy terminology, a scope is one of the potentially many "verbs" that can logically apply to a resource set ("object"). UMA associates scopes with labeled resource sets. Ex: TBD
token
A packaged collection of data meant to be transmitted to another entity. For the NIST 800-63-2 usage of token, please see 'authenticator'. Ex: A token could be used for authorized access (an "access token"), or could be used to exchange information about a subject (a "claim token").
token introspection endpoint
An endpoint at the authorization server that allows the resource server to query the status of an RPT and its associated authorization data. Ex: TBD

Updated