Hi Muhammad,
We have some security concerns regarding the flow. In the tutorial while registering the app two client URI are given that are /cerner/launch.html and /cerner/index.html, launch.html contains the client id.
1- What if other person gets access to the client ID.
SMART on FHIR offers "public" and "confidential"
app profile types. This tutorial app is a client-side HTML and JavaScript application. It's using the public app profile because it cannot keep the secret. If someone knows the client id of your application, there is no harm to your application because you've already registered the "redirect_uri" for this client id. The redirect_uri is checked by the authorization server and must match exactly for a successful launch.
2- By fetching data from client app any one can see the fetched data, to resolve this in the redirect URI I passed my server url instead of /index,html and try to launch the app but I am getting "The requested redirect URI does not match the one registered for".
In order to see the FHIR data, the app must have been launched successfully. This means that the user must have signed in successfully. Due to the fact that this tutorial app is a client side app, yes, anyone that is logged in can see the FHIR data.
The error that you've got is due to a mismatched in redirect_uri that I mentioned above. The application cannot pass a different redirect_uri than the one that was registered for the client id for security reasons.
What you're looking for is the confidential client profile. See this section on our
Authorization doc to learn more. Note that confidential client is NOT supported by Cerner's implementation of SMART on FHIR in production yet.
3- can we pass server urls while registering the app in the launch URI and redirect URI.
You can register your launch and redirect URIs for your application. I don't understand what you want to do here when you say "pass server urls while registering". Can you elaborate on this?
Regardless of which method you choose, both methods use OAuth2 for authorization, OpenID Connect for authentication and are considered secure.