Support the "Trusting CDS Clients" spec requirements

[jdjkelly]

The spec suggests that authorization header is a requirement for every single client to service call: https://cds-hooks.hl7.org/ballots/2020Sep/#trusting-cds-clients

Each time a CDS Client transmits a request to a CDS Service, the request MUST include an Authorization header presenting the JWT as a “Bearer” token:

Authorization: Bearer {{JWT}}

Note that this is for every single CDS Service call, whether that be a Discovery call, a single CDS Service invocation, or multiple exchanges relating to a single service. Also note that mutual TLS MAY be used alongside JSON web tokens to establish trust of the CDS Client by the CDS Service.

The CDS Client MUST use its private key to digitally sign the JWT, using the JSON Web Signatures (rfc7515) standard.

We need to have a clear way to handle registering clients. What is reasonable? We don't have a storage/persistence layer yet so we could make use of configuration files.

Other considerations:

• Will the CDS Hooks authorization flow be separate from all other authorization flows?