Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-31916

Clarification of PKCE Support

    XMLWordPrintableJSON

    Details

    • Type: Change Request
    • Status: Applied (View Workflow)
    • Priority: Low
    • Resolution: Persuasive with Modification
    • Specification:
      SMART on FHIR (FHIR)
    • Raised in Version:
      1.1.0
    • Work Group:
      FHIR Infrastructure
    • Related Page(s):
      Overview
    • Related Section(s):
      1.0.2.3
    • Grouping:
    • Resolution Description:
      Hide

      Update: SMART requires the S256 code_challenge_method. The plain method is not supported.

      To read: SMART servers SHALL support the S256 code_challenge_method }}and SHALL NOT support the  {{plain method.

      (Note: this is consistent with the language on the conformance page: Array of PKCE code challenge methods supported. The S256 method SHALL be included in this list, and the plain method SHALL NOT be included in this list.)


      Update: "This is the S256 hashed version of the code_verifier parameter,"

      To read: "Code challenge as specified by PKCE. For example, when code_challenge_method is 'S256', this is the S256 hashed version of the code_verifier parameter. See considerations-for-pkce-support.".

      Update: "This parameter is required if an app is using PKCE and indicates the method used for the code_challenge parameter. Fixed value: S256." 

      To read: "Method used for the code_challenge parameter. Example value: S256. See considerations-for-pkce-support."

      Show
      Update: SMART requires the  S256   code_challenge_method . The  plain  method is not supported. To read: SMART servers SHALL support the  S256   code_challenge_method }}and SHALL NOT support the  {{plain  method. (Note: this is consistent with the language on the conformance page: Array of PKCE code challenge methods supported. The S256 method SHALL be included in this list, and the plain method SHALL NOT be included in this list.) Update: "This is the S256 hashed version of the  code_verifier  parameter," To read: "Code challenge as specified by PKCE. For example, when code_challenge_method is 'S256', this is the S256 hashed version of the  code_verifier  parameter. See  considerations-for-pkce-support .". Update: "This parameter is required if an app is using PKCE and indicates the method used for the code_challenge parameter. Fixed value: S256."  To read: "Method used for the code_challenge parameter. Example value: S256. See considerations-for-pkce-support ."
    • Resolution Vote:
      Gino Canessa/Yunwei Wang: 13-0-0
    • Change Category:
      Correction
    • Change Impact:
      Non-substantive

      Description

      https://hl7.org/fhir/smart-app-launch/2021May/index.html#considerations-for-pkce-support

      This section talks about the "code_challenge_method" in the following text:

       

      SMART requires the S256 code_challenge_method. The plain method is not supported.

       

      To clarify this further for the implementer and to ensure the implementer understands what is required and what cannot be used, this could be rewritten similar to:

       

      The "S256" "code_challenge_method" is REQUIRED by SMART.  The "plain" method is not supported and MUST NOT be used.

       

      Alternatively, MUST NOT could be replaced by SHALL NOT.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              carl-anderson-msft Carl Anderson
              Reporter:
              sfradkin Scott Fradkin
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Vote Date: