Expiration of a certificate in B2B Authorization

[Arnie Teres]

We are working on B2B Authorization are per http://docs.smarthealthit.org/authorization/backend-services/ and wonder what sort of error we would receive on an expired certificate?

Can we assume that the Authorization endpoint would refuse to provide a valid token with some sort of appropriate error or will we receive some sort of error from the data endpoint or both?

[Matt Randall (Cerner)]

At the moment, we only support HTTP Basic Authentication scheme for client credential grants; we haven't yet implemented RFC 7523 [1] for the use of json web tokens as described in backend services.  Per the backend services draft, only an RSA public key is being utilized for the establishment of trust, not full public key infrastructure in the form of certificates.  As such, there's no "certificate expiry", at least from a client authentication perspective.  For HTTP Basic Authentication, a 401 status code is codified in the OAuth 2 RFC as the appropriate response code for an invalid username/password pair, for JWT RFC 7523 defines a 400 response with a JSON payload the describes the authentication failure.

[1]: https://tools.ietf.org/html/rfc7523