Secure RESTful Interface Profile

About This Project

The profiles and documents on these pages were created by The MITRE Corporation in 2014 for the United States Department of Veterans Affairs (VA). VA asked MITRE to design an approach to securing Represtentational State Transfer (RESTful) interfaces by profiling open standards for REST security. The goal was to create a common profile enabling VA and its partners to share information through RESTful APIs in a secure and interoperable way, using open standards.

About the Profiles

MITRE created draft profiles of OAuth 2.0 and OpenID Connect 1.0 along with some explanatory presentations and security guidance. Profiling is the process of adding to or modifying standards to tailor them for a specific use through changes such as additional requirements, making optional features mandatory, or specifying implementation details left unspecified in the original standard. MITRE sought to accomplish three things in the profiles for OAuth and OpenID Connect:

• Guarantee a baseline level of security suitable for VA use cases (many of which involve patient data), while still maintaining the usability and ease of implementation that make REST appealing
• Point to advanced security measures that can be used for high-sensitivity use cases, where impacts to usability may be justified by security concerns
• Reduce the "optionality" of the standards to guarantee interoperability among VA and its partners

The profiles were written to address basic, common aspects of OAuth and OpenID Connect security (such as specifying a format for OAuth access tokens) and intended for use across a wide range of use cases.

Public Release

Profiles for information sharing are only useful to the extent that they are adopted among information sharing partners. For this reason, these profiles have been left in "draft" status and publicly released to enable VA and MITRE to collaborate with other organizations that interact with the VA's systems.

It is also our hope that these profiles may be generally useful for other organizations (within and beyond the health care domain) seeking a standard and interoperable approach to securing REST interfaces. The profiles are released under a Creative Commons license, adn are free to use with attribution.

Pilot Demonstration

MITRE is currently working on a demonstration of the profiles in action. The pilot scenario demonstrates the use of federated identity information and authorized cross-domain access to medical information. The pilot demonstration code will be released under an Open Source license and available on our GitHub site.

Prior Work

These profiles build on two prior VA and Office of the National Coordinator for Health IT (ONC) initiatives:

• RESTful Health Exchange (RHEx)
• The BlueButton Plus REST API

These prior efforts were focused on specific health use casese, whereas the profiles on this site address basic, fundamental security and interoperability concerns common to all implementations. They are deliberately use-case-agnostic in order to be widely applicable. Use-case-specific requirements, such as OAuth scopes tailored to the resources provided by a given API, would need to be addressed by further profiling.

Contact Us

If you have questions or suggestions, or are interested in using the profiles, please contact Mark Russell at The MITRE Corporation.