Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-31916

Clarification of PKCE Support

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Low Low
    • SMART on FHIR (FHIR)
    • 1.1.0 [deprecated]
    • FHIR Infrastructure
    • Overview
    • 1.0.2.3
    • Hide

      Update: SMART requires the S256 code_challenge_method. The plain method is not supported.

      To read: SMART servers SHALL support the S256 code_challenge_method }}and SHALL NOT support the  {{plain method.

      (Note: this is consistent with the language on the conformance page: Array of PKCE code challenge methods supported. The S256 method SHALL be included in this list, and the plain method SHALL NOT be included in this list.)

      Update: "This is the S256 hashed version of the code_verifier parameter,"

      To read: "Code challenge as specified by PKCE. For example, when code_challenge_method is 'S256', this is the S256 hashed version of the code_verifier parameter. See considerations-for-pkce-support.".

      Update: "This parameter is required if an app is using PKCE and indicates the method used for the code_challenge parameter. Fixed value: S256." 

      To read: "Method used for the code_challenge parameter. Example value: S256. See considerations-for-pkce-support."

      Show
      Update: SMART requires the  S256   code_challenge_method . The  plain  method is not supported. To read: SMART servers SHALL support the  S256   code_challenge_method }}and SHALL NOT support the  {{plain  method. (Note: this is consistent with the language on the conformance page: Array of PKCE code challenge methods supported. The S256 method SHALL be included in this list, and the plain method SHALL NOT be included in this list.) Update: "This is the S256 hashed version of the  code_verifier  parameter," To read: "Code challenge as specified by PKCE. For example, when code_challenge_method is 'S256', this is the S256 hashed version of the  code_verifier  parameter. See  considerations-for-pkce-support .". Update: "This parameter is required if an app is using PKCE and indicates the method used for the code_challenge parameter. Fixed value: S256."  To read: "Method used for the code_challenge parameter. Example value: S256. See considerations-for-pkce-support ."
    • Gino Canessa/Yunwei Wang: 13-0-0
    • Correction
    • Non-substantive

    Description

      https://hl7.org/fhir/smart-app-launch/2021May/index.html#considerations-for-pkce-support

      This section talks about the "code_challenge_method" in the following text:

       

      SMART requires the S256 code_challenge_method. The plain method is not supported.

       

      To clarify this further for the implementer and to ensure the implementer understands what is required and what cannot be used, this could be rewritten similar to:

       

      The "S256" "code_challenge_method" is REQUIRED by SMART.  The "plain" method is not supported and MUST NOT be used.

       

      Alternatively, MUST NOT could be replaced by SHALL NOT.

       

      Attachments

        Activity

          People

            carl-anderson-msft Carl Anderson (Inactive)
            sfradkin Scott Fradkin
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: