Specification of health data transfer from devices to DiGA (§ 374a SGB V)
Seiteninhalt:
This document describes the authorization endpoint of the OAuth 2.0 Authorization Server. The authorization endpoint is used to initiate the Authorization Code Flow. It is the endpoint where the patient (resource owner) is redirected for authentication and to give consent to a DiGA.
Unlike other endpoints, the authorization endpoint is called through the user agent (browser or app). It does not
require Mutual-TLS client authentication, but it MUST strictly validate the client_id and redirect_uri.
Note: There is no strict definition of the authorization endpoint URL in RFC 6749. The URL below is a common convention. Device Data Recorder manufacturers MAY choose a different URL structure as long as it is properly documented in the OAuth 2.0 Authorization Server Metadata.
| Endpoint | /authorize |
| HTTP Method | GET (via user agent redirect) |
| Description | Initiates the OAuth 2.0 Authorization Code Flow. The patient is authenticated at the OAuth2 Authorization Server and presented with a consent dialogue for the requested SMART scopes. |
| Authentication | User authentication (patient login). No Mutual-TLS client authentication. |
| Returned Objects | Authorization Code and State parameters (passed via redirect to DiGA redirect_uri). |
| Specifications | • MUST comply with RFC 6749. • MUST present requested SMART scopes in a human-readable form for patient consent. • MUST generate and bind consent to a Pairing ID. • MUST accept the following request parameters: • client_id• request_uri (from PAR). |
| Error codes | 400 (Invalid request)401 (Unauthorized – authentication failure)403 (Access denied – consent not given)500 (Internal Server Error) |
Request (user agent redirect):
curl -G "https://himi.example.com/authorize" \
--data-urlencode "client_id=urn:diga:bfarm:12345" \
--data-urlencode "request_uri=urn:uuid:a1b2c3d4-5678-90ab-cdef-111213141516" \
-v
Response (redirect to DiGA):
HTTP/1.1 302 Found
Location: https://diga.example.com/callback?
code=SplxlOBeZQQYbYS6WxSbIA&
state=af0ifjsldkj