Skip to Main Content
Watson Health Ideas Portal

Shape the future of IBM Watson Health!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.

Status Future consideration
Created by Guest
Created on Apr 12, 2022

Support Open Authorization 2.0 (OAuth 2.0) for RESTful APIs

In order to support the Canadian Federal Government Digital Standards mandate, ESDC would like to raise the following enhancement request.

Support Open Authorization 2.0 (OAuth 2.0) for RESTful APIs

The Directive on Service and Digital - Appendix B: Mandatory Procedures on Application Programming Interfaces- Canada.ca (https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32604 ), as a baseline minimum, mandates that the following security control practice must be followed:

Section B.2.2.5.4 specifically states:

“Protect access to APIs by implementing an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references. Always authenticate and authorize before any operation to ensure access to APIs are restricted to permitted individuals and/or systems. Use open standards such as OpenID Connect and Open Authorization 2.0 (OAuth 2.0) for RESTful APIs, and Security Assertion Markup Language 2.0 (SAML 2.0) for SOAP APIs. Ensure that the API key/secret is adequately protected. Open data APIs must be secured with an API key to allow for usage tracking and provide the ability to identify and prevent potential malicious use. Open data APIs must be secured with an API key to allow for usage tracking and provide the ability to identify and prevent potential malicious use.”

Customer Name ESDC
Persona Based Summary

All user types: System-to-system integration, external client access via REST API (decoupled UA), potential future use cases with internal users and partner (provider) users accessing SPMP via REST API

Market Segment WH Government
Type of Request Customer Requirement
Market Opportunity

no response

Usage frequency + #/type of users impacted

All users types - all the time. REST API is the default integration mechanism for SPMP in ESDC. We are using a decoupled UA architecture so REST APIs are utilised for all those integration points also.

Workarounds + Proposed Solution

The current, and “temporary only”, workaround is to use basic authentication Rest/j_security_check?j_username=<username>&j_password=<password>

The Digital Standards specifically state in section B.2.2.5.3:

Do not include sensitive data in request URLs as request URL strings can be tracked and compromised even with transport encryption. If a query involves sensitive data elements (e.g., SIN), pass the query parameters as a JSON message payload rather than in the URL request string.

  • Guest
    Apr 28, 2022

    Hi Nigel,

    We have reviewed your enhancement suggestion.

    Based on the information provided, our understanding of your request is as follows:

    - You are requesting product support for Open Authorization 2.0 (OAuth 2.0) for REST APIs

    The theme is aligned with our current strategy for our product and we have accepted your suggestion as a consideration for a future release.

    Thank you for taking the time to share your ideas with us. We are committed to involving our users in building our product roadmap and appreciate your suggestions.

    Regards,

    Sheryl Brenton, SPM Product Management Team

  • Guest
    Apr 18, 2022

    Hi Nigel,

    Thank you for taking the time to share your ideas with us. We are committed to involving our users in building our product roadmap and appreciate your suggestions.

    We will review the information you have provided and get back to you within 30 days. If additional details are required to complete our evaluation, we will send you a request for more information.

    Thank you,
    Sheryl Brenton, SPM Product Management Team