SMART on FHIR security concerns.

[Asad Fareed]

Hello team,

Currently I am implementing smart on fhir application by following this tutorial http://engineering.cerner.com/smart-on-fhir-tutorial.

We have some security concerns regarding the flow. In the tutorial while registering the app two client URI are given that are  /cerner/launch.html and /cerner/index.html, launch.html contains the client id.

1- What if other person gets access to the client ID.

2- By fetching data from client app any one can see the fetched data, to resolve this in the redirect URI  I passed my server url instead of /index,html and try to launch the app but I am getting "The requested redirect URI does not match the one registered for".

3- can we pass server urls while registering the app in the launch URI and redirect URI.

Thanks,

Muhammad Asad.

[Kol Kheang (Cerner)]

Hi Muhammad,

Currently I am implementing smart on fhir application by following this tutorial http://engineering.cerner.com/smart-on-fhir-tutorial.

We have some security concerns regarding the flow. In the tutorial while registering the app two client URI are given that are  /cerner/launch.html and /cerner/index.html, launch.html contains the client id.

1- What if other person gets access to the client ID.

SMART on FHIR offers "public" and "confidential" app profile types.  This tutorial app is a client-side HTML and JavaScript application.  It's using the public app profile because it cannot keep the secret.  If someone knows the client id of your application, there is no harm to your application because you've already registered the "redirect_uri" for this client id. The redirect_uri is checked by the authorization server and must match exactly for a successful launch.

 

2- By fetching data from client app any one can see the fetched data, to resolve this in the redirect URI  I passed my server url instead of /index,html and try to launch the app but I am getting "The requested redirect URI does not match the one registered for".

In order to see the FHIR data, the app must have been launched successfully.  This means that the user must have signed in successfully.  Due to the fact that this tutorial app is a client side app, yes, anyone that is logged in can see the FHIR data.

The error that you've got is due to a mismatched in redirect_uri that I mentioned above.  The application cannot pass a different redirect_uri than the one that was registered for the client id for security reasons. 

What you're looking for is the confidential client profile.  See this section on our Authorization doc to learn more. Note that confidential client is NOT supported by Cerner's implementation of SMART on FHIR in production yet.

 

3- can we pass server urls while registering the app in the launch URI and redirect URI.

You can register your launch and redirect URIs for your application.  I don't understand what you want to do here when you say "pass server urls while registering".  Can you elaborate on this? 

Regardless of which method you choose, both methods use OAuth2 for authorization, OpenID Connect for authentication and are considered secure.

[Asad Fareed]

Thanks @Khol for your response.

    You can register your launch and redirect URIs for your application. I don't understand what you want to do here when you say "pass server urls while registering". Can you elaborate on this? 

I registered app on cerner with redirect URI /index.html everything works fine, but I want to change the redirect URI to point at my server route or api, and then will make authentication from there just to make FHIR fetched data secret, So I changed it from portal and relaunch the app, I am gettng this error "The requested redirect URI does not match the one registered for".

[Kol Kheang (Cerner)]

Hi Asad,

You'd need to move your OAuth2 authorization logic to your server.  Then you'd need to update your existing app registration on code console to point to your server for the redirect URI.  By only updating the redirect URI in code console to point to your server, it's not sufficient because the app is still running at a different server (GitHub Pages).  The JS code in the example app pre-populates the redirect_uri in the code with the current URL where the app is hosted.

- Kol

[Asad Fareed]

Hi Khol,

Currently I am going with the flow to fetch data from my client and send it to my server, but problem is I am unable to authenticate my client request on server. Is there any API available of cerner's sandbox from where I can verify the access_token, So when I pass my fetched data from client to server I'll also pass the access_token of cerner sandbox and server will cross check that token from sandbox to authenticate the request.

Asad

[Hank DeDona]

Hey Asad,

    The access tokens are not meant to be acquired front-channel, they need a back-channel POST request with the authorization code and a redirect URI that the authorization server can send the access token to. As for verifying access tokens, we do not currently have the capability for client applications to verify access tokens.