BlueButton PKCE Support for SPA's
40 views
Skip to first unread message
Jason Kulatunga
Sep 22, 2022, 11:24:48 AM9/22/22
to Developer Group for CMS Blue Button API
I'm writing a single-page-app in javascript that will be accessing BlueButton via the PKCE auth flow (since I cannot securely store a client_secret).
My authorize step is working, however when I attempt to swap the code for a token, I'm getting a `invalid_client` error.
The BlueButton documentation states that PKCE is supported, however it doesn't seem to work for me. This code is "known" to be working, as I've used it to successfully authenticate to other healthcare providers.
Here's are my requests against the authorize and token endpoints, formatted with newlines for readability:
Authorize Request:
https://sandbox.bluebutton.cms.gov/v2/o/authorize/?
client_id=XQPwCYLXmqZkiQZWhLX56mToZ29MSfekrPEkNUaF&
code_challenge=n0PLtewJtE7u5vP9InZNdF4DIMlQjCLN7I9y_DzLJhg&
code_challenge_method=S256&
redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fsandbox%2Fcallback%2Fbluebutton&
response_type=code&
state=88a9127c-ffce-49da-a139-43840410abf9&
scope=profile+patient%2FPatient.read+patient%2FExplanationOfBenefit.read+patient%2FCoverage.read&
aud=https%3A%2F%2Fsandbox.bluebutton.cms.gov%2Fv2%2Ffhir
Callback URL:
https://lighthouse.fastenhealth.com/sandbox/callback/bluebutton?code=rMpvrVEPEFyWEghfs2gcL5lzPpLzS2&state=88a9127c-ffce-49da-a139-43840410abf9
Token Request:
curl 'https://sandbox.bluebutton.cms.gov/v2/o/token/'
-X POST
-H 'Accept: application/json'
-H 'Accept-Language: en-US,en;q=0.5'
-H 'Accept-Encoding: gzip, deflate, br'
-H 'Referer: http://localhost:9090/'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--data-raw 'redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fsandbox%2Fcallback%2Fbluebutton&code_verifier=S2MDjql-ItUeE9hH1wmyVqe-Che-4ErA9BCn8ynWD5s&code=rMpvrVEPEFyWEghfs2gcL5lzPpLzS2&grant_type=authorization_code&client_id=XQPwCYLXmqZkiQZWhLX56mToZ29MSfekrPEkNUaF'
{"error": "invalid_client"}
Any help would be appreciated
My authorize step is working, however when I attempt to swap the code for a token, I'm getting a `invalid_client` error.
The BlueButton documentation states that PKCE is supported, however it doesn't seem to work for me. This code is "known" to be working, as I've used it to successfully authenticate to other healthcare providers.
Here's are my requests against the authorize and token endpoints, formatted with newlines for readability:
Authorize Request:
https://sandbox.bluebutton.cms.gov/v2/o/authorize/?
client_id=XQPwCYLXmqZkiQZWhLX56mToZ29MSfekrPEkNUaF&
code_challenge=n0PLtewJtE7u5vP9InZNdF4DIMlQjCLN7I9y_DzLJhg&
code_challenge_method=S256&
redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fsandbox%2Fcallback%2Fbluebutton&
response_type=code&
state=88a9127c-ffce-49da-a139-43840410abf9&
scope=profile+patient%2FPatient.read+patient%2FExplanationOfBenefit.read+patient%2FCoverage.read&
aud=https%3A%2F%2Fsandbox.bluebutton.cms.gov%2Fv2%2Ffhir
Callback URL:
https://lighthouse.fastenhealth.com/sandbox/callback/bluebutton?code=rMpvrVEPEFyWEghfs2gcL5lzPpLzS2&state=88a9127c-ffce-49da-a139-43840410abf9
Token Request:
curl 'https://sandbox.bluebutton.cms.gov/v2/o/token/'
-X POST
-H 'Accept: application/json'
-H 'Accept-Language: en-US,en;q=0.5'
-H 'Accept-Encoding: gzip, deflate, br'
-H 'Referer: http://localhost:9090/'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--data-raw 'redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fsandbox%2Fcallback%2Fbluebutton&code_verifier=S2MDjql-ItUeE9hH1wmyVqe-Che-4ErA9BCn8ynWD5s&code=rMpvrVEPEFyWEghfs2gcL5lzPpLzS2&grant_type=authorization_code&client_id=XQPwCYLXmqZkiQZWhLX56mToZ29MSfekrPEkNUaF'
{"error": "invalid_client"}
Any help would be appreciated
Jason Kulatunga
Sep 22, 2022, 11:29:55 AM9/22/22
to Developer Group for CMS Blue Button API
One additional thing to note is that my Application Client Type is set to "Confidential"
I was unable to change that during creation, however I see mention of "Public" and "Implicit Grant" when searching the forums. That seems to be related to the (now deprecated) implicit grant flow?
Is PKCE for mobile/native apps not supported by BlueButton?
Kirsten Hansen
Sep 22, 2022, 3:25:28 PM9/22/22
to Developer Group for CMS Blue Button API
Hello Jason,
In June, 2021, we stopped supporting the implicit grant flow and it was deprecated in the OAUTH2.1 specifications. Please see this announcement we posted in March, 2021 for more information.
We only support client-type=confidential and grant-type=authorization-code. A client_secret is needed to exchange an authorization code for an access token via our token API end point.
Thank you for reaching out to us. Let us know if you have any further questions.
Best Regards,
The Blue Button 2.0 Team
Kirsten Hansen, Product Manager
Blue Button 2.0
Jason Kulatunga
Sep 22, 2022, 8:33:25 PM9/22/22
to Developer Group for CMS Blue Button API
Hey Kristen,
Apologies for the confusion.
I understand that the implicit grant flow has been deprecated, I'm actually asking if the Authorization Code flow with PKCE is supported by BlueButton -- its the secure successor to the Implicit Grant flow.
Given that you mention that a "client_secret" is required, I'm guessing the answer is no. Do you have any plans to add support for the Authorization Code flow with PKCE?
Thanks!
Kirsten Hansen
Sep 23, 2022, 10:33:33 AM9/23/22
to Developer Group for CMS Blue Button API
Hello Jason,
Thank you for clarifying your question. We currently do not support a public client type for OAuth 2.0. The only variety we do support is the more secure confidential client type. This is in combination with a trusted back end server to store the client secret. Though not currently required, we do encourage the use of the PKCE extension to better secure the flow.
Hope this more accurately answers your question.
Have a good day,
The Blue Button 2.0 Team
Kirsten Hansen, Product Manager
Blue Button 2.0
Reply all
Reply to author
Forward
0 new messages