SMART on FHIR sandbox does not reflect nonce from authentication request in id_token
75 views
Skip to first unread message
David Teirney
Aug 13, 2019, 7:57:55 PM8/13/19
to Cerner FHIR Developers
Hello,
The OIDC Relying Party we are using sends a nonce in the authorization request as part of the SMART on FHIR application launch workflow.
That nonce isn't being reflected back in the id_token that we receive and so the JWT isn't being validated as per https://openid.net/specs/openid-connect-core-1_0.html#IDToken.
We also had this problem with https://launch.smarthealthit.org, which was resolved in https://github.com/smart-on-fhir/smart-launcher/issues/18
We can't turn this behaviour off as our OIDC module is secure by design.
Here is the payload of an id_token we received:
{
"sub": "portal",
"aud": "2e9f7c7b-7b39-4924-becc-bde0b733088f",
"profile": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007",
"name": "Portal, Portal",
"exp": 1565740387,
"iat": 1565739787,
"fhirUser": "https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/Practitioner/4464007"
}
Happy to provide any further information if necessary.
Thanks,
David
Matt Randall (Cerner)
Aug 14, 2019, 9:57:35 AM8/14/19
to Cerner FHIR Developers
Echoing the nonce query parameter in id_tokens had previously been requested - I don't have an ETA on it, however. The authorization code flow technically doesn't require it to be secure, and the SMART on FHIR specification didn't require it; I understand where you are coming from with respect to an out-of-the box library, however.
David Teirney
Aug 15, 2019, 7:34:21 PM8/15/19
to Cerner FHIR Developers
Hi Matt,
Thanks for the reply. To clarify, is it just the sandbox that isn't compliant with the OpenID Connect specification regarding handling of nonce, or Cerner production deploys as well?
https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
"If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request."
Regards,
David
Thanks for the reply. To clarify, is it just the sandbox that isn't compliant with the OpenID Connect specification regarding handling of nonce, or Cerner production deploys as well?
https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
"If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request."
Regards,
David
Jenni Syed (Cerner)
Aug 22, 2019, 5:46:25 PM8/22/19
to Cerner FHIR Developers
Hi David,
This is a gap in sandbox and prod. The original version of the SMART spec didn't specifically require OpenId Connect. The new version that was balloted via HL7 is much more specific (and allows us to eventually declare functionality in well known). When we start supporting the balloted version, it will include closing gaps like this in the OpenId Connect spec.
Thanks,
Jenni
David Teirney
Aug 22, 2019, 7:37:05 PM8/22/19
to Cerner FHIR Developers
Hi Jenny,
Thanks for the information. Is there a timeframe that can be shared for when support for the balloted version might be available?
We're using an OpenID Connect Relying Party implementation that uses a generated nonce that can't be disabled.
Regards,
David
Benjamin Eichhorn (Cerner)
Aug 23, 2019, 9:00:06 AM8/23/19
to Cerner FHIR Developers
Hi David,
We do not discuss roadmaps or timelines on this group.
Thank you,
Ben (Cerner)
Matthew Beermann (Cerner)
Dec 10, 2019, 5:16:44 PM12/10/19
to cerner-fhir...@googlegroups.com
David, could you give the nonce reflection another try (in our sandbox environment)? We recently added it, and wouldn't mind some independent confirmation.
Reply all
Reply to author
Forward
0 new messages