Token Validation for GE Waveform viewer

[Hardik Soni]

Hello,

I am Hardik. I am working with GE healthcare as Architect and working with Cerner for developing Waveform viewer along with Chad, Hays. 

we have requirement to perform token validation to access application resource. we are planning to use ISTIO as ingress for K8S environment. If we have JWKS endpoint available from authorization server, would help to token validation with a kind of caching behavior which will reduce load on authorization server as well.

https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/

 

 Does Cerner Authorization Server provides JWKS endpoint ? Something similar to 

https://raw.githubusercontent.com/istio/istio/release-1.9/security/tools/jwt/samples/jwks.json

Please feel free to reach on my mail along with chad : hardikku...@ge.com

Thanks and Regards,

Hardik Soni

[Jenni Syed (Cerner)]

Hi,

If you're referring to the id_token validation, please see this documentation: http://fhir.cerner.com/authorization/openid-connect/

The jwks url is advertised within the JWT id_token as required by the specification.

Regards,

Jenni

[Aju Mathai]

Hi Jenni,

My name is Aju, I am also working with Hardik on the same project. Just following up on the mail sent by Hardik for Istio Ingress we need to provide two important pieces of information to Istio on the RequestAuthentication custom resource definition for validating the JWT token

1. jwksUri -  The certificate endpoint which returns the public keys encoded as a JSON Web Key (JWK). 

2. issuer - information about the issuer of JWT token

We referred to the documentation link  http://fhir.cerner.com/authorization/openid-connect/. We get the  jwksUri   "jwks_uri": "https://authorization.cerner.com/jwk" from the OpenID Connect configuration document

GET https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/oidc/idsps/ec2458f2-1e24-41c8-b71b-0e701af7583d/.well-known/openid-configuration 

How can we get the issuer information?  Something similar to this which we set up on KeyCloak 

jwksUri  - http://13.82.182.123:31390/auth/realms/customer/protocol/openid-connect/certs

issuer - http://13.82.182.123:31390/auth/realms/customer

Thanks & Regards,

Aju

 "jwks_uri": "https://authorization.cerner.com/jwk"

[Michele Mottini]

The issuer is in the 'iss' claim inside the token

  - Michele

  CareEvolution

--
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/a7d6001b-f630-4c68-9e35-49f62d17256cn%40googlegroups.com.

[Jenni Syed (Cerner)]

Hardik and Aju,

Please take a look at the documentation I linked above and let me know what specific questions you have. Michele is correct that the iss is also in the token per the  standard.

Regards,

Jenni

[Aju Mathai]

Hi,

We had setup our smart app on https://code.cerner.com/developer/smart-on-fhir/apps/. We wanted to validate the access token issued  for which we setup a policy on our gateway . The policy uses the issuer and JSON Web keyset  Uri ( The certificate endpoint which returns the public key encoded as JSON Web Key ) . The jwt values setup is as below 

  jwtRules:
    - issuer: https://authorization.cerner.com

      jwksUri: 'https://authorization.cerner.com/jwk' 

We are getting "Jwt issuer is not configured" even when we pass a valid token. The issuer we got by decoding the token.  Can you please check if these are the right endpoints.

Thanks & Regards,

AM

[Fenil Desani (Cerner)]

Hello,

Did you get the issuer: https://authorization.cerner.com from decoding Id_token?

http://fhir.cerner.com/authorization/openid-connect/