Invalid AUD Workflow

[Gary Isaac]

We are trying to understand the implementation workflow for compliance verification of invalid AUD values since the SMART on FHIR does not have this use case.

• Would the specification expect it to fail at the point of the authorization server?
• If yes, does the specification expect the workflow to fail at the point where an OAuth code is issued or could it fail using a different authorization mechanism than OAuth?

The implementation we are looking at does the following:

• The OAuth2 server does not associate a particular client with specific resource URL, nor does it have a registry of valid resource URLs; therefore, it does not have the ability to determine whether an AUD claim is valid.
• This means it is impossible to prevent a code or token from being issued solely based on any particular AUD claim (except the case when AUD is not present).
• If a token with an invalid AUD claim were used to attempt to access a FHIR resource, the request would be rejected but not using OAuth.

Any insight would be helpful!

Thank you!
Gary

[Josh Mandel]

The expectation is that an authorization server knows the list of FHIR endpoint URLs for which it is a valid authorization server. This is important to because it allows the authorization server to detect if a client has been tricked into requesting authorization from the wrong place. Therefore, the authorization server needs to check and validate the "aud" parameter and must not proceed with the authorization request if the parameter is invalid (i.e., if the parameter value is not a FHIR endpoint for which this authorization server is configured).

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/9e17ed5c-fbd3-48c8-a379-cf2f0048a407n%40googlegroups.com.