I want to get some work done on implementing Tiered OAuth as a server. But first I wanted to see it in action as a client. I am looking for an example. I understand that EMR Direct (healthtogo) and Okta (udap.zimt.work) have this working. So, I set off to try it out.
DataHolder’s Auth Server -> https://stage.healthtogo.me:8181/oauth/stage/authz
Identity Provider’s Auth Server -> https://udap.zimt.work/oauth2/aus5wvee13EWm169M1d7
Below is a authorize request to healthtogo including the udap scope and idp=https://udap.zimt.work/oauth2/aus5wvee13EWm169M1d7
https://stage.healthtogo.me:8181/oauth/stage/authz?response_type=code&state=YvMZsqQKlkfO-8HhqVItcc0FNylBhA5zrMWSploBwg0&client_id=e6d94a0a-7435-4c2d-8122-117a4cafcef9&scope=openid udap user/Patient.r&idp=https://udap.zimt.work/oauth2/aus5wvee13EWm169M1d7&redirect_uri=https://udaped.fhirlabs.net/udapBusinessToBusiness&aud=https://stage.healthtogo.me:8181/fhir/r4/stage
I would expect the IdP to interact with the user but instead I am interacting with the healthtogo’ ABC Hospital System login screen as shown in the attachment.
--
You received this message because you are subscribed to the Google Groups "UDAP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to udap-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/247f4dc9-c90b-4ef0-8575-e10f6e693418n%40googlegroups.com.
Hi Joe,
The access_denied error here means that the this data holder did not recognize the user information provided by the upstream IdP, i.e. it could not map the IdP user information to a user in the data holder's system.
Regarding the scopes in the second authz request, the data holder will not include 'udap' in the scopes sent to the upstream IdP because the data holder is not invoking Tiered OAuth a second time with the IdP. That is also why the data holder is not including idp=[upstream IdP URL] in its request.
Luis
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/95c45eac-90e6-4a58-864b-b0dd303d015en%40googlegroups.com.
3.4 If the Resource Holder trusts the IdP and has successfully obtained a client_id from the IdP, then the Resource Holder requests authentication of the user and authorization to access the user’s identity data from the IdP by redirecting the user to the IdP’s authorization endpoint. The Resource Holder’s Authorization Server MAY interact with the user before initiating the redirection, e.g. to inform the user that they will be redirected to the IdP for the purpose of authentication.
Note that the Resource Holder is acting as a client application when interacting with the IdP. In this tiered relationship, the original Client Application does not interact directly with the IdP. The Resource Holder includes the scopes “openid” and “udap” in its request to signal to the IdP that UDAP Tiered OAuth for User Authentication is being requested. If this scope is omitted, the behavior of the IdP is entirely unspecified and the IdP SHOULD NOT proceed with the UDAP Tiered OAuth for User Authentication workflow. The Resource Holder MUST use the authorization code flow when redirecting the user to the IdP’s authorization endpoint (even if the Client App requested a different grant type when connecting to the Resource Holder’s authorization endpoint):
The use of the nonce parameter is RECOMMENDED. The Resource Holder MUST generate its own random value for the state parameter and MUST NOT reuse the value provided by the Client App in Step 2. Note: if the Resource Holder interacts with the user prior to the redirection to the IdP, then the Resource Holder MAY alternatively cause the user’s browser to be directed to the IdP’s authorization endpoint as the result of clicking on a hyperlink or other user action that results in the browser generating a new GET request rather than using the 302 redirection method described above.This message originated outside your organization.
You received this message because you are subscribed to a topic in the Google Groups "UDAP" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/udap-discuss/5q9m4vAlJHk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to udap-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/1f68f76a-bf05-4535-8e69-966fef9c0e76n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/18f67f9e-64b9-48ff-a2a7-184eda3862b1n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/67acbb47-168c-4bde-bc0b-41249930f9een%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/67acbb47-168c-4bde-bc0b-41249930f9een%40googlegroups.com.
@Dan Cinnamon after your last deploy the jwt iss and sub claims no longer match your baseurl. It should be https://udap.zimt.work/oauth2/aus5wvee13EWm169M1d7. The URI subject alt name is good with one matching value.
I see healthtogo catching this error when I try Tiered OAuth through them.