Use of Security Scopes within the CCRI

Security Scopes

Security Scopes can be managed in different ways inside Care Connect and FHIR. Within the RESTful version scopes can be defined which restrict access to profiles depending on the defined system or end user. Currently the Security Scopes provides an example of restricting access to certain profiles. However, in the future it might be possible to dynamically create Scopes on profiles. The CCRI provides a demonstration of OAuth2 Users & Scopes.

Please click on Security for background and understanding of the security considerations when creating your own implementation.

HTTP Request to Get An OAuthToken

The Reference Implementation REST APIs are secured as an example using the OAuth 2.0 protocol to authorise and authenticate calls. OAuth2 is an industry open standard for authorisation, providing secure access to protected resources thereby reducing the hassle of asking for a username and password every time a user logs in. The OAuth2 Token is described below:

Method: POST
  Accept: application/json
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic {ClientID}:{Client Secret}

An OAuth2 response example is shown below:

Expected Response:
Status Code: 200
   Content-Type: application/json
Response Body:
    "access_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI0MTNjMWZjYi0yMzVmLTQ4ZWQtYmIyOC01YzgwZTMwYjVlODQiLCJpc3MiOiJodHRwOlwvXC9wdXJwbGUudGVzdGxhYi5uaHMudWs6MjAwODBcLyIsImV4cCI6MTUxMzA5NjU3NywiaWF0IjoxNTEzMDkyOTc3LCJqdGkiOiJkNWE2MWM4Ny1iMjI5LTQ5ODctOTk3ZS01ZTJlOGZlNmIwNGQifQ.UthMhHtWWJFRFhrYV33AqJtL0nn6-Ca97-caTETRZkPZcO5quU2q5alP9Z1yJq1oSryl8lScrwScvxAOnHBWAA4tY-ViBq0m2sXjP-Gps2M_bCOmxjDV7aWOv_gou28QBus6cUHr-cocDtQXwYdzhoVMoFNmASG21ZvhDd15U6xUKHgL5J1sPGFsMmozJeI6EX99o1pwKCWLyBFHXtRp02fyXfC-IXy6EwDgZa5Vwqgwn_r9AbJ-IMQmCckQl2opQo6cD0Xn44H4jMC1iSsMhtr3PfGBoJuuWQ8aeU61hAB2XUPbH9uYHav-i8-lpE98WF088wu62qGAOTcCeGdCuQ",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "patient/ patient/Patient.write"

Authorisation Header

The value in the access token element of this response will then be passed in the Authorisation Header of subsequent requests. For Example:

Method: GET
  Authorization: "Bearer eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI0MTNjM...88wu62qGAOTcCeGdCuQ"

OAuth2 Scopes

The following users can access Profiles within the Care Connect Reference Implementation. As such these OAuth2 users allows for the Mapping of Scopes to Profiles

Credentials Details (Please copy all details)
Grant Type Client Credentials
Token name (example) OAuth2-PatientAccess
Access Token URL
Client Authentication ‘Send as Basic Auth header’

Patient Access

Can only access the patient profiles.

Credentials Details (Please copy all details)
Client ID patient-access
Client Secret IShTVi8mRSV7bVREuU1freiDo79y_8fLX3BBw2nf2eIpv9A_r91VlVuF2LOiK_zLZAkBQCusEXLp_o6DEIgvaQ

A full list of scopes is described below:

Scopes profile patient/ user/

Patient, Condition & Medication Access

Can only access a combination of patient, condition and medication profiles.

Credentials Details
Client Id clinical-access
Client Secret QOm0VcqJqa9stA1R0MJzHjCN_uYdo0PkY8OT68UCk2XDFxFrAUjajuqOvIom5dISjKshx2YiU51mXtx7W5UOwQ

A full list of scopes is described below:

Scopes user/ patient/ user/ patient/ user/ user/ user/ profile patient/ patient/ patient/ patient/

Limited Access

Can only access Publicly Available Information.

Credentials Details
Client ID limited-access
Client Secret AI8OGCYWjvnj-NY0zaP0H2e6_El_yO2pq43wK4YKk8UnBR_JZ5ivkmkXFtlkiL6LKWsL8H7ksab0V_Hk9c4OeMI

A full list of scopes is described below:

Scopes profile

Current Version

Check out Versions for more information about the current released version, downloading options, use and future verions.


This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.

guide Engage Clinical scenarios User stories Case Studies Benefits Clinical inspiration Explore Impl Guide Resource Profiles API definitions Search parameters Value sets Design & Build Build APIs Search Ex. Code examples Validation tools Security examples Test Test data Security tests Reference servers Secure store Example data Assure Automated tests Test Reports Test Evidence Conformance reports Assurance checklist Deploy (Pilot) API harness Warranted environment IG / IS Spine comms Record locator Deploy (Live) Registry Monitor Support Conformance statement Extensions