Received jwt token has invalid "aud" ( audience ) value

[Buminda Nawagamuwa]

Hi , 

I'm launching my app from https://launch.smarthealthit.org/ 

and when I decode the jwt I received from auth server it looks as below.  

{
  "profile": "Practitioner/fd7a737e-1ac5-4c4e-89cd-1c07da4ca1c2",
  "fhirUser": "Practitioner/fd7a737e-1ac5-4c4e-89cd-1c07da4ca1c2",
  "aud": "48db8bcc-da2a-44b7-b385-1859d1426d10",
  "sub": "dae2f4d04f9cc451beb23e6de394a41e8465f8dc19e92c0de9bb281e04f8d5c4",
  "iss": "https://launch.smarthealthit.org/v/r4/fhir",
  "iat": 1664343390,
  "exp": 1664346990
}

My client id is in aud, I expect it to be redirect_url ( at least a url ) as per the specification. Am I doing something silly here ?

Thank you

Regards

Buminda

 

[Abhishek Kini]

Can u mention where it is mentioned that aud should be a url ? i think it is correct .

On Thu, 29 Sep, 2022, 9:52 am Abhishek Kini, <skinia...@gmail.com> wrote:

Can u mention where it is mentioned that aud should be a url ? i think it is correct .

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/fe67e95e-e666-4ca5-beaf-0b5e57bb5e0en%40googlegroups.com.

[Buminda Nawagamuwa]

Thanks very much, reading this I can see it can be string OR URI. In my implementation I'm looking for a url . Is there a way I can control the returned JWT (  from https://launch.smarthealthit.org/  )   with the redirect url ?

Reference ->  https://www.rfc-editor.org/rfc/rfc7519

4.1.3. "aud" (Audience) Claim The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.

[Michele Mottini]

The access token is an opaque string, it does not have to be a jwt - or a a valid jwt. 

  - Michele 

  CareEvolution 

To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/f70eecca-c0af-4b1e-86a9-e28230e44bb6n%40googlegroups.com.

[Vladimir Ignatov]

There are several JWTs here - access token, refresh token and id token. As Michele said, the access token is not required to be JWT, but it is in this case. I am not sure what you are trying to accomplish but It looks like you are decoding the id token (the id_token property of the token response). 

You cannot control what is set in “aud”, nor can I imagine why you would want to. Anyway, for the ID token I'd recommend using this spec -> https://openid.net/specs/openid-connect-core-1_0.html#IDToken. As you can see, aud is expected to be the client_id which I guess might also be an URI in some cases. It is definitely not your redirect_uri.

Vlad

To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/CAMK4NFOu422pgGrxKL%3DpA%3D7x2sy9NVRA41d-oQUMnq_xkw5SLg%40mail.gmail.com.

[Buminda Nawagamuwa]

Thanks everyone, for the clarification.