In order to provide better health care for the inhabitants of Norway we need to share health information between different organizations. The national strategy is to provide APIs for prescriptions, health records, and other types of information in order to give patients the right treatment at the right time. However, health information is considered highly sensitive and must comply with health and privacy legislation. In order to fulfill these requirements we have looked to OAuth 2.0 and the work being done with the security bcp's and the FAPI profile.
In this presentation I will talk about our use of OAuth 2.0 (and OIDC), and some challenges and experiences we've had implementing the security guidelines and profiles.