Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-32213

aud is normally not a claim

    XMLWordPrintableJSON

    Details

    • Type: Change Request
    • Status: Applied (View Workflow)
    • Priority: Highest
    • Resolution: Not Persuasive with Modification
    • Specification:
      SMART on FHIR (FHIR)
    • Raised in Version:
      2.0.0
    • Work Group:
      FHIR Infrastructure
    • Outstanding Negatives:
      STU
    • Related Page(s):
      Overview
    • Related Section(s):
      1.6.1.1
    • Grouping:
    • Resolution Description:
      Hide

      At the time SMART App Launch was standardized, there was no convention established. See discussion at https://oauth.ietf.narkive.com/9TbUoMUV/oauth-wg-standard-url-parameter-for-mitigating-rfc6819-s-threat-4-6-4 which resulted in the recommendation to name the parameter "aud" – note this is from 2015, and practices have evolved since!

      Drafted in 2018 an eventually finalized in 2020, https://datatracker.ietf.org/doc/rfc8707/ standardizes a parameter called "resource". We could update the SMART spec to deprecated "aud" and declare "resource" as a new name; but changing this would break SMART client compatibility across the board, so it's unclear when/how we could finalize the deprecation, meaning that servers would be on the hook for managing "aud" and "resource" parameters indefinitely.

      Update the spec to add a note at the end of the "aud" parameter definition: 

      > Note that the "aud" parameter is semantically equivalent to the  "resource" parameter defined in [RFC8707](https://datatracker.ietf.org/doc/rfc8707). SMART's, "aud" parameter predates RFC8707 and we have decided not to rename it for reasons of backwards compatibility. We might consider renaming SMART's "aud" parameter in the future if implementer feedback indicates that alignment would be valuable. For the current release, servers SHALL support the "aud" parameter and MAY support a "resource" parameter as a synonym for "aud".

      Show
      At the time SMART App Launch was standardized, there was no convention established. See discussion at https://oauth.ietf.narkive.com/9TbUoMUV/oauth-wg-standard-url-parameter-for-mitigating-rfc6819-s-threat-4-6-4  which resulted in the recommendation to name the parameter "aud" – note this is from 2015, and practices have evolved since! Drafted in 2018 an eventually finalized in 2020, https://datatracker.ietf.org/doc/rfc8707/  standardizes a parameter called "resource". We could update the SMART spec to deprecated "aud" and declare "resource" as a new name; but changing this would break SMART client compatibility across the board, so it's unclear when/how we could finalize the deprecation, meaning that servers would be on the hook for managing "aud" and "resource" parameters indefinitely. Update the spec to add a note at the end of the "aud" parameter definition:   > Note that the "aud" parameter is semantically equivalent to the   "resource" parameter defined in [RFC8707] ( https://datatracker.ietf.org/doc/rfc8707 ). SMART's, "aud" parameter predates RFC8707 and we have decided not to rename it for reasons of backwards compatibility. We might consider renaming SMART's "aud" parameter in the future if implementer feedback indicates that alignment would be valuable. For the current release, servers SHALL support the "aud" parameter and MAY support a "resource" parameter as a synonym for "aud".
    • Resolution Vote:
      Gino Canessa / Christiaan Knaap: 8-0-1
    • Change Category:
      Enhancement
    • Change Impact:
      Compatible, substantive

      Description

      "aud" is normally not a claim in an authorization request. 'resource' is usually used (see https://tools.ietf.org/html/rfc8707) to point to the resource server for which an access token is requested.
      The introspect does have an 'aud' claim, that points to the same server. One does not want to mandate this. Implementations should be free to choose what to place in audience.

      Suggest to replace aud with 'resource',

      (aud is uppercase in the spec).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              carl-anderson-msft Carl Anderson
              Reporter:
              bvdh Bas van den Heuvel
              Request in-person:
              Bas van den Heuvel
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Vote Date: