locked
For a HealthVault enabled mobile web app, how can we provide a mobile experience when authenticating with HealthVault? RRS feed

  • Question

  • We are looking to develop a mobile web presentation for one of our HealthVault enabled applications, and were wondering if there is a way to authenticate with HealthVault using more of a "mobile" type user experience than going through the normal account.healthvault.com pages?  Is this something made possible in the upcoming HealthVault SDK update?  Thanks.
    Thursday, September 10, 2009 5:03 PM

Answers

  • Yes, applications can use offline connections in online scenarios, and in particular (if implemented securely and carefully in a way that preserves identity and privacy) applications can use an additional web service proxy with an offline connection and provide a UI on mobile devices, for example.

    Offline connections are also commonly used in cases where an online experience is desired without the additional requirement of the user signing in to HealthVault each time-- this is less preferable from a security/privacy standpoint, but it can have an improved user experience, and as long as it is clear to the user what is going on and the user can change the link to their HealthVault record after the initial offline link is established, this is fine. 
    Thursday, September 10, 2009 6:54 PM

All replies

  • Thursday, September 10, 2009 5:21 PM
  • Also, something to check out for devices and client applications is our new SODA (Software On Device Authentication) support.  It's mentioned in our release notes here: http://blogs.msdn.com/healthvault/archive/2009/08/27/healthvault-0908-release-notes.aspx

    Documentation is still being written, so not much is posted yet.  But keep an eye out, it may be useful for this sort of scenario.
    Thursday, September 10, 2009 5:24 PM
  • Yeah, the SODA model is something I first saw at the HealthVault conference in June this year, and we are definitely interested in that.

    In the thread that Mansi_D linked to, the following quote is given by you:

    2. For mobile devices whose browser doesn't work with the Live ID sign in process, or mobile applications that use a non-web based interface, the user has to authorize an Offline HealthVault connection via a computer web browser prior to using the mobile application.  You can set up a web portal, direct users to sign in and authorize your app for offline access, and then they can download or use the mobile application; the mobile app can leverage the offline access granted via the full web app earlier.  However, the mobile app shouldn't make the offline connection directly, as that would require your app's private key be distributed along with your application... which is a security issue.  What other HV partners have done so far is to create their own web service to act as an offline connection proxy.  The mobile application calls the web service, which has the private key safe on the server, and their web service then can make offline connections directly to HealthVault.  In all of this, it's critical that the mobile applicaiton and communication be secure, and that you safely identify users properly (via username/password, etc), as you are effectively hiding and removing most of the usual HealthVault/LiveID security and taking on that responsibility yourself via the additional layers of abstraction.

    Does this mean that Microsoft will approve an app through the go-live process that gives the user an online type experience, even though technically it's offline access to HealthVault (through a web service)?  The way you described it is exactly what we are thinking about doing, we just weren't sure if Microsoft would allow it or not.  Thanks.
    Thursday, September 10, 2009 6:47 PM
  • Yes, applications can use offline connections in online scenarios, and in particular (if implemented securely and carefully in a way that preserves identity and privacy) applications can use an additional web service proxy with an offline connection and provide a UI on mobile devices, for example.

    Offline connections are also commonly used in cases where an online experience is desired without the additional requirement of the user signing in to HealthVault each time-- this is less preferable from a security/privacy standpoint, but it can have an improved user experience, and as long as it is clear to the user what is going on and the user can change the link to their HealthVault record after the initial offline link is established, this is fine. 
    Thursday, September 10, 2009 6:54 PM
  • Thanks as always for the useful information.
    Thursday, September 10, 2009 6:58 PM