Validating the id_token issuer

Skip to first unread message

Travis Cummings

Sep 25, 2017, 4:03:14 PM9/25/17
to Cerner FHIR Developers

When validating an id_token, we seem to be getting an issuer that is different from the OAuth server specified in the conformance statement.  Is this to be expected?  

Since the issuer in the id_token is not the same as the FHIR conformance security extension, how should I validate this value in the id_token?

Thank you,
Travis Cummings

Matt Randall (Cerner)

Sep 25, 2017, 4:20:26 PM9/25/17
to Cerner FHIR Developers
The endpoint listed in the conformance statement is an API endpoint, not an issuer value.  We've boiled down the steps that are necessary for id_token validation as construed from the OIDC specification here:

- Matt Randall
Reply all
Reply to author
0 new messages