Use Cases and Security Requirements
The profiles and documents on these pages were created by The MITRE Corporation in 2014 for the United States Department of Veterans Affairs (VA). VA asked MITRE to design an approach to securing Represtentational State Transfer (RESTful) interfaces by profiling open standards for REST security. The goal was to create a common profile enabling VA and its partners to share information through RESTful APIs in a secure and interoperable way, using open standards.
MITRE created draft profiles of OAuth 2.0 and OpenID Connect 1.0 along with some explanatory presentations and security guidance. Profiling is the process of adding to or modifying standards to tailor them for a specific use through changes such as additional requirements, making optional features mandatory, or specifying implementation details left unspecified in the original standard. MITRE sought to accomplish three things in the profiles for OAuth and OpenID Connect:
The profiles were written to address basic, common aspects of OAuth and OpenID Connect security (such as specifying a format for OAuth access tokens) and intended for use across a wide range of use cases.
Profiles for information sharing are only useful to the extent that they are adopted among information sharing partners. For this reason, these profiles have been left in "draft" status and publicly released to enable VA and MITRE to collaborate with other organizations that interact with the VA's systems.
It is also our hope that these profiles may be generally useful for other organizations (within and beyond the health care domain) seeking a standard and interoperable approach to securing REST interfaces. The profiles are released under a Creative Commons license, adn are free to use with attribution.
MITRE is currently working on a demonstration of the profiles in action. The pilot scenario demonstrates the use of federated identity information and authorized cross-domain access to medical information. The pilot demonstration code will be released under an Open Source license and available on our GitHub site.
These profiles build on two prior VA and Office of the National Coordinator for Health IT (ONC) initiatives:
These prior efforts were focused on specific health use casese, whereas the profiles on this site address basic, fundamental security and interoperability concerns common to all implementations. They are deliberately use-case-agnostic in order to be widely applicable. Use-case-specific requirements, such as OAuth scopes tailored to the resources provided by a given API, would need to be addressed by further profiling.
If you have questions or suggestions, or are interested in using the profiles, please contact Mark Russell at The MITRE Corporation.