Validating the id_token issuer

18 views

Skip to first unread message

Travis Cummings

unread,

Sep 25, 2017, 4:03:14 PM9/25/17

to Cerner FHIR Developers

Hi,

When validating an id_token, we seem to be getting an issuer that is different from the OAuth server specified in the conformance statement. Is this to be expected?

For example,

The Cerner launch issuer is
https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca

The authorization server (from the conformance statement is)
https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/protocols/oauth2/profiles/smart-v1/personas/provider/authorize

The issuer I get in the id_token is
https://authorization.sandboxcerner.com/tenants/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/oidc/idsps/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/

Since the issuer in the id_token is not the same as the FHIR conformance security extension, how should I validate this value in the id_token?

Thank you,

Travis Cummings

Matt Randall (Cerner)

unread,

Sep 25, 2017, 4:20:26 PM9/25/17

to Cerner FHIR Developers

The endpoint listed in the conformance statement is an API endpoint, not an issuer value. We've boiled down the steps that are necessary for id_token validation as construed from the OIDC specification here: http://fhir.cerner.com/authorization/openid-connect/

- Matt Randall

Reply all

Reply to author

Forward

0 new messages