4. Use cases
Giuseppe Ciaccio, Antonio Pastorino and Marina Ribaudo
This section introduces two possible use cases that show what a smart disclosure is and how to obtain it using OAuth 2.0. For each use case we first informally sketch the problem, then we discuss how OAuth 2.0 could improve current solutions and present aspects which are challenging to the current OAuth 2.0 flows.
4.1 Medical use case
This trivial use case is also found in the work by Falcão‐Reis and Correia( Falcão‐Reis 2010), although they failed to mention some potential challenges arising from it.
Scenario. Alice needs professional medical care and asks for advice; a friend recommends Dr. John Smith. Alice makes an appointment and takes all the medical certificates she can find at home with her. She then summarizes her medical history, presents her problem and listens to the doctor ' s response.
How OAuth 2.0 could help. In many countries, health records are still predominantly paper records, given to patients after medical examinations. Patients ' data are stored in local databases managed by various laboratories, hospitals, or other health care settings, all of which may be using different technologies and data representation that do not usually interoperate; storing data as PDF files is a common practice. Health information is therefore scattered across many places, and accessing the medical history of an individual is a complex task. A possible solution requires the adoption of a machine‐readable representation of medical data, along with the definition of an architecture for retrieving and merging records spread over several databases. In the medical context, standard data representations do exist, for instance the HL7 Clinical Document Architecture, a document markup standard that specifies the structure and semantics of clinical documents for the purpose of exchange. OAuth 2.0 could be the enabling technology of this architecture if adopted to get authorization grants across different resource servers( the different medical databases). The use of OAuth 2.0 does not require centralizing data into a single repository: data are kept where they have been produced and are accessed upon authorization by the owner.
Figure 3 shows Alice and Dr. Smith. In order to know Alice ' s medical history, Dr. Smith uses a web application that connects to the distinct databases of hospitals that provide online health data upon verification of access tokens( resource servers Hospital1, Hospital2,..., in the picture).
Figure 3: Dealing with distributed health data via OAuth 2.0
Alice is in front of the doctor, so she can give online consent to access her personal resources( arrows numbered 1 and 2) by interacting with the web application being used by the doctor. After receiving an authorization grant, the web application applies for an access token( arrows 3 and 4) which is subsequently used to collect Alice ' s data stored within the resource servers( arrows 5 and 6), thus building a view of Alice ' s
140