Patient Journey as seen by the Browser: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 8: Line 8:
| Term || Description
| Term || Description
|-
|-
IIdP ||. Identifier Provider ( may also provide attributes (claims) about the subject)
|User || An organic human being operating a computing device, typically a smartphone or laptop.
|-
|-
|User || An organic human being operating a computing device, typically a smartphone or laptop.
|User Agent || a software application that interfaces between the user and the internet. Typically a browser.
|-
|-
|  OIDC || OpenID Connect as per [OIDC.Core]
|  OIDC || OpenID Connect as per [OIDC.Core]
Line 18: Line 18:
|IdP || Identifier Provideer (may also include attributes or claim of the subject)
|IdP || Identifier Provideer (may also include attributes or claim of the subject)
|-
|-
| OP || OpenID Provider as per [OIDC.Core]
| OP || OpenID Provider (one form of IdP) as per [OIDC.Core]
|-
|-
|SIOP || Self-Issued OpenID Provider as per [OIDC.Core] section 7.
|SIOP || Self-Issued OpenID Provider as per [OIDC.Core] section 7.
Line 26: Line 26:
| CP || Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc.
| CP || Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc.
|-
|-
| Identity Wallet || An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc.
| Identifier Wallet || An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc.
|-
| DID AuthN || Refers to a method of proofing control over a DID for the purpose of authentication.
|-
|Verification Method || a more recent name for one instance of a DID AuthN
|-
|-
| Trust Authority || A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets
| Trust Authority || A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets
|-
|-
|Trusted Wallet || code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence.
|Trusted Wallet || code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence.
|-
| Identity Wallet || An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc.
|-
|JAM session || The period of time from when the user clicks on a link in the RP until the UI for the wallet is accepted by the user.
|}
|}


==Journey==
==Journey==
# User navigates to Relying Party Web site, for this journey it is a patient viewing a  patient portal. The patient portal may receive a cookie from a prior visit
# User navigates to Relying Party Web site, for this journey it is a patient viewing a  patient portal. The patient portal may receive a cookie from a prior visit
# This journey assumes that the user agent is not already in a communications "session" with the relying party website.
# RP displays one or more sign in options for the user (note that the patient view may be determined by the existence of a valid cookie)
# RP displays one or more sign in options for the user (note that the patient view may be determined by the existence of a valid cookie)
# The user clicks on one sign in option . At this point there is a fork in the journey based on the cookie.
# The user clicks on one sign in option . At this point there is a fork in the journey based on the cookie.


Fork one: User is apparently new as there is no existing cookie (A registration journey)
A registration journey is the fork taken if there is no cookie and the user itreated as a new user.
# Legacy journey would have the user sign into the portal using a local user name and password. That would be an and to the user journey.
# Legacy journey would have the user sign into the portal using a local user name and password. That would be an and to the user journey.
# User selects to use a federated sign in process. (Note that this process may be a related hospital group or some other federated idp.)
# User selects to use a federated sign in process. (Note that this process may be a related hospital group or some other federated idp.)
# User browser receives an HTTP 302 redirect message and the dip sign in page is displayed.
# User browser receives an HTTP 302 redirect message and the dip sign in page is displayed.
# The user completes a sign in process at the dip (which may have found its cookie on the user browser, or not)
# The user completes a sign in process at the IdP (which may have found its cookie on the user browser, or not)
# Port of the IdP message to the user is a list of the attributes (claims) tnat will be passed from the dip to the patient portal.
# Port of the IdP message to the user is a list of the attributes (claims) tnat will be passed from the dip to the patient portal.
# The IdP issues a redirect to the user browser with shows the patient portal home page customized for that users.
# The IdP issues a redirect to the user browser with shows the patient portal home page customized for that users.
# The user may need to locate their patient records on the patient portal which may ask the user for additional attributes (claims).
# The user may need to locate their patient records on the patient portal which may ask the user for additional attributes (claims).


Fork two the user device is recognized by the appearance of a cookie (A return journey)
A return journey is the fork taken if a cooke is found for this RP.
# A cookie is found which represents a current (unexpired) sign in session (ie the user is "signedin"). The user is immediately redirected to the portal patient page.
# A cookie is found which represents a current (unexpired) sign in session (ie the user is "signedin"). The user is immediately redirected to the portal patient page.
# A cookie is found which is expired or just has the user ID. The user is directed to a sign in Experience.
# A cookie is found which is expired or just has the user ID. The user is directed to a sign in Experience.
# The user rejects the ID proffered and skips to item 2 on the above, registration journey.
# The user is given the choice to continue with the identifier discovered or rejects that and skips to item 2 on the above, registration journey.
# The user continues onto the authentication steps.
# The user continues onto the authentication steps.


Sharing journey.
Sharing journey.
# The patient is at a patient portal and wishes to share data between to physician groups not on the same EHR community.
# The patient is at a patient portal and wishes to share data between to physician groups not on the same EHR community.
# The patient picks whether to share out or share into the current EHR.
# The patient picks whether to share out or share into the EHR whose portal the user is authenticated.
# These both require that the user be authenticated at both sites simultaneously if the user is mediating the transfer.
# Alternatively the user could download the data and then upload it in a separate step.
# Alternatively the user could provide a delegation authority to one site to acquire the data from the other.
# In this journey it wold be possible for the user to establish bi-lateral sharing between the sites so the future updates are pre-approved by the user.


==References==
==References==

Latest revision as of 15:03, 7 April 2021

Full Title

How the Patient journey is seen by the user agent (browser) on a user device.

Context

Patient journey, writing a proposal to present to BlinkDev, browser render engine people.

Term Description
User An organic human being operating a computing device, typically a smartphone or laptop.
User Agent a software application that interfaces between the user and the internet. Typically a browser.
OIDC OpenID Connect as per [OIDC.Core]
OAuth client Used synonymously with Relying Party (see RP)
IdP Identifier Provideer (may also include attributes or claim of the subject)
OP OpenID Provider (one form of IdP) as per [OIDC.Core]
SIOP Self-Issued OpenID Provider as per [OIDC.Core] section 7.
RP Relying Party, as used in [OIDC.Core] for any website the relies on claims produced by a CP for example an OP.
CP Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc.
Identifier Wallet An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc.
Trust Authority A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets
Trusted Wallet code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence.

Journey

  1. User navigates to Relying Party Web site, for this journey it is a patient viewing a patient portal. The patient portal may receive a cookie from a prior visit
  2. This journey assumes that the user agent is not already in a communications "session" with the relying party website.
  3. RP displays one or more sign in options for the user (note that the patient view may be determined by the existence of a valid cookie)
  4. The user clicks on one sign in option . At this point there is a fork in the journey based on the cookie.

A registration journey is the fork taken if there is no cookie and the user itreated as a new user.

  1. Legacy journey would have the user sign into the portal using a local user name and password. That would be an and to the user journey.
  2. User selects to use a federated sign in process. (Note that this process may be a related hospital group or some other federated idp.)
  3. User browser receives an HTTP 302 redirect message and the dip sign in page is displayed.
  4. The user completes a sign in process at the IdP (which may have found its cookie on the user browser, or not)
  5. Port of the IdP message to the user is a list of the attributes (claims) tnat will be passed from the dip to the patient portal.
  6. The IdP issues a redirect to the user browser with shows the patient portal home page customized for that users.
  7. The user may need to locate their patient records on the patient portal which may ask the user for additional attributes (claims).

A return journey is the fork taken if a cooke is found for this RP.

  1. A cookie is found which represents a current (unexpired) sign in session (ie the user is "signedin"). The user is immediately redirected to the portal patient page.
  2. A cookie is found which is expired or just has the user ID. The user is directed to a sign in Experience.
  3. The user is given the choice to continue with the identifier discovered or rejects that and skips to item 2 on the above, registration journey.
  4. The user continues onto the authentication steps.

Sharing journey.

  1. The patient is at a patient portal and wishes to share data between to physician groups not on the same EHR community.
  2. The patient picks whether to share out or share into the EHR whose portal the user is authenticated.
  3. These both require that the user be authenticated at both sites simultaneously if the user is mediating the transfer.
  4. Alternatively the user could download the data and then upload it in a separate step.
  5. Alternatively the user could provide a delegation authority to one site to acquire the data from the other.
  6. In this journey it wold be possible for the user to establish bi-lateral sharing between the sites so the future updates are pre-approved by the user.

References