Technical validation criteria

Before a connector with ZorgDomein can be released, ZorgDomein will validate the connector against a set of validation criteria. These validation criteria consist of functional and technical validation criteria. The functional criteria differ per component and can be found in the description of the components. The technical validation criteria focus mainly on security and are listed below. 

  1. The FHIR server may not accept a TLS handshake without asking ZorgDomein for a client certificate, and verifying the presented certificate. If ZorgDomein does not present a client certificate, or the presented certificate is invalid, the FHIR server should respond with HTTP 403. 
  2. The FHIR server may not accept any HTTP request without a valid JWT in the HTTP Authorization header. If ZorgDomein does not present a JWT, or the presented JWT is invalid, the FHIR server should respond with HTTP 403. This implies that the FHIR server must perform the following checks: 
    • Check if the token is present in the HTTP Authorization header
    • Check if the token contains a signature
    • Check if the signature is valid
    • Check if the signing algorithm specified in the token header matches the signature
    • Check if the token has not expired
  3. The FHIR server must respond to a FHIR create request with a HTTP 201 response that contains a location header that points to the url of the created resource (url does not have to be resolvable). See HTTP specifications for more details. 

These validation criteria apply to all components where ZorgDomein acts as a FHIR client.