UDAP is a trust community protocol built on top of OAuth (Open Authorization) 2.0 and OIDC (OpenID Connect). It combines Public Key Infrastructure (PKI) with OAuth and OIDC to provide the trust community protocol. The specific trust community has a Certificate Authority (CA) or multiple CAs that issue X.509 certificates to all members of the community. These are not the same as SSL certificates that can be obtained by proving ownership of a domain like Let's Encrypt. The X.509 certificates are issued out of band after proving the identity of the organization obtaining the certificate.
The public and private keys contained in the X.509 certificate are used to provide the signing keys and verifying keys for JSON Web Tokens (JWTs). The X.509 certificates are contained in the header of the JWTs moving the authentication mechanism to the application layer, as opposed to say Mutual TLS (mTLS) where the authentication sits between the application layer and the TCP/IP layer.
The Proof of Concept, reference implementation is a four-repository collection for a full UDAP implementation. The implementation adheres to published Version 1.0 of the HL7 UDAP Security Implementation Guide.
Links to the four repositories in the collection:
At a base level, a full UDAP implementation will include a UDAP enabled client and a UDAP enabled server.
To build a UDAP enabled client with our collection of repos, you will need:
To build a UDAP enabled server with our collection of repos, you will need:
A good plan to build either a client or server is to follow these steps.
- Start with UDAP Trusted Dynamic Registration
- Add one of the Authorization and Authentication methods. Many people start with Busines to Business as it is less complex.
- Business to Business (UDAP Client Credentials Flow)
- Consumer Facing (UDAP Authorization Code Flow)
- Tiered OAuth for User Authentication
At this point you will have one side (a client or a server) of a full UDAP implementation. You will need to build the other side to have a full implementation.
Client Overview
graph TD;
hl7-fhir-udap-common-->hl7-fhir-udap-client;
hl7-fhir-udap-client-->hl7-fhir-udap-client-test-ui;
Server Overview
graph TD;
hl7-fhir-udap-common-->hl7-fhir-udap-client;
hl7-fhir-udap-common-->hl7-fhir-udap-server;
hl7-fhir-udap-client-->hl7-fhir-udap-server;
If you have questions, concerns, bug reports, etc., file an issue in this repository's Issue Tracker.
See the CONTRIBUTING file for info on how to get involved.
The hl7-fhir-udap-docs is Open Source Software released under the Apache 2.0 license.
We would like to recognize the following people for their initial contributions to the project:
- Tom Loomis, Evernorth
- Dan Cinnamon, Okta