description: Used when:\n- only have an opaque oAuth token (e.g. clients).\n- have access to the oAuth token, but want to log minimal details.\n\n- oUser slice holds fragment of the opaque oAuth token\n  - record only the last 32 characters of the oAuth token to limit risk or replay\n  - presume 32 characters is enough to coorelate AuditEvent log entries
package_name: ihe.iti.balp
derivation: constraint
name: OAUTHaccessTokenUseOpaque
type: AuditEvent
elements:
  agent:
    index: 0
    slicing:
      rules: open
      discriminator:
      - {path: type, type: pattern}
      min: null
      slices:
        oUser:
          match:
            type:
              coding:
              - {code: UserOauthAgent, system: 'https://profiles.ihe.net/ITI/BALP/CodeSystem/UserAgentTypes'}
          schema:
            short: other elements may be filled in as needed.
            array: true
            min: 1
            _required: true
            index: 1
            elements:
              type:
                pattern:
                  type: CodeableConcept
                  value:
                    coding:
                    - {code: UserOauthAgent, system: 'https://profiles.ihe.net/ITI/BALP/CodeSystem/UserAgentTypes'}
                index: 2
              requestor:
                pattern: {type: Boolean, value: true}
                index: 3
              policy: {short: last 32 characters of the oAuth token., mustSupport: true, index: 4}
              purposeOfUse: {short: 'SAML subject:purposeofuse', mustSupport: true, index: 5}
            required: [policy, type]
package_version: 1.1.2
class: profile
kind: resource
url: https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.OAUTHaccessTokenUse.Opaque
base: http://hl7.org/fhir/StructureDefinition/AuditEvent
version: 1.1.2