Use of Security Scopes within the CCRI

Security Scopes

Security Scopes can be managed in different ways inside Care Connect and FHIR. Within the RESTful version scopes can be defined which restrict access to profiles depending on the defined system or end user. Currently the Security Scopes provides an example of restricting access to certain profiles. However, in the future it might be possible to dynamically create Scopes on profiles. The CCRI provides a demonstration of OAuth2 Users & Scopes.

Please click on Security for background and understanding of the security considerations when creating your own implementation.

HTTP Request to Get An OAuthToken

The Reference Implementation REST APIs are secured as an example using the OAuth 2.0 protocol to authorise and authenticate calls. OAuth2 is an industry open standard for authorisation, providing secure access to protected resources thereby reducing the hassle of asking for a username and password every time a user logs in. The OAuth2 Token is described below:

Method: POST
  Accept: application/json
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic {ClientID}:{Client Secret}

An OAuth2 response example is shown below:

Expected Response:
Status Code: 200
   Content-Type: application/json
Response Body:
    "access_token": "eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI0MTNjMWZjYi0yMzVmLTQ4ZWQtYmIyOC01YzgwZTMwYjVlODQiLCJpc3MiOiJodHRwOlwvXC9wdXJwbGUudGVzdGxhYi5uaHMudWs6MjAwODBcLyIsImV4cCI6MTUxMzA5NjU3NywiaWF0IjoxNTEzMDkyOTc3LCJqdGkiOiJkNWE2MWM4Ny1iMjI5LTQ5ODctOTk3ZS01ZTJlOGZlNmIwNGQifQ.UthMhHtWWJFRFhrYV33AqJtL0nn6-Ca97-caTETRZkPZcO5quU2q5alP9Z1yJq1oSryl8lScrwScvxAOnHBWAA4tY-ViBq0m2sXjP-Gps2M_bCOmxjDV7aWOv_gou28QBus6cUHr-cocDtQXwYdzhoVMoFNmASG21ZvhDd15U6xUKHgL5J1sPGFsMmozJeI6EX99o1pwKCWLyBFHXtRp02fyXfC-IXy6EwDgZa5Vwqgwn_r9AbJ-IMQmCckQl2opQo6cD0Xn44H4jMC1iSsMhtr3PfGBoJuuWQ8aeU61hAB2XUPbH9uYHav-i8-lpE98WF088wu62qGAOTcCeGdCuQ",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "patient/ patient/Patient.write"

Authorisation Header

The value in the access token element of this response will then be passed in the Authorisation Header of subsequent requests. For Example:

Method: GET
  Authorization: "Bearer eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI0MTNjM...88wu62qGAOTcCeGdCuQ"

OAuth2 Scopes

The following users can access Profiles within the Care Connect Reference Implementation. As such these OAuth2 users allows for the Mapping of Scopes to Profiles

Credentials Details (Please copy all details)
Grant Type Client Credentials
Token name (example) OAuth2-PatientAccess
Access Token URL
Client Authentication ‘Send as Basic Auth header’

Patient Access

Can only access the patient profiles.

Credentials Details (Please copy all details)
Client ID a24a4d9f-c264-4af7-a8e5-248c24a6b707
Client Secret MMpAOGBljYcEzBfn7q9-xgJqBlmR0BSiEyCrCjNNOUpR78kZtzqgKKU_4FgGRFNWbtc6jPIErLwoYwRgnlvijA

A full list of scopes is described below:

Scopes profile patient/ user/

Patient, Condition & Medication Access

Can only access a combination of patient, condition and medication profiles.

Credentials Details
Client Id ed73b2cb-abd0-4f75-b9a2-5f9c0535b82c
Client Secret QOm0VcqJqa9stA1R0MJzHjCN_uYdo0PkY8OT68UCk2XDFxFrAUjajuqOvIom5dISjKshx2YiU51mXtx7W5UOwQ

A full list of scopes is described below:

Scopes user/ patient/ user/ patient/ user/ user/ user/ profile patient/ patient/ patient/ patient/

Limited Access

Can only access Publicly Available Information.

Credentials Details
Client ID 256fcc31-97bd-47d4-acbf-12409676ad5a
Client Secret AI8OGCYWjvnj-NY0zaP0H2e6_El_yO2pq43wK4YKk8UnBR_JZ5ivkmkXFtlkiL6LKWsL8H7ksab0V_Hk9c4OeMI

A full list of scopes is described below:

Scopes profile

Current Version

Check out Versions for more information about the current released version, downloading options, use and future verions.


This site is structured around Care Connect stakeholders including API users, developers and architects. Please get involved in the journey.

guide Engage Clinical scenarios User stories Case Studies Benefits Clinical inspiration Explore Impl Guide Resource Profiles API definitions Search parameters Value sets Design & Build Build APIs Search Ex. Code examples Validation tools Security examples Test Test data Security tests Reference servers Secure store Example data Assure Automated tests Test Reports Test Evidence Conformance reports Assurance checklist Deploy (Pilot) API harness Warranted environment IG / IS Spine comms Record locator Deploy (Live) Registry Monitor Support Conformance statement Extensions