Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-32297

Bring SMART 2.0 in line with OAuth 2.1 for security improvements

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive
    • Icon: Medium Medium
    • SMART on FHIR (FHIR)
    • current
    • FHIR Infrastructure
    • STU
    • (many)
    • Hide

      Given the draft status of OAuth 2.1, we don't plan to explicitly point to OAuth 2.1 at this time, but there is indeed convergence around many behaviors. We will consider referencing OAuth 2.1 in a future release (and in the meantime, we can track this in the community-maintained best practices page on Confluence, at https://confluence.hl7.org/display/FHIRI/SMART+on+FHIR+Best+Practices – which are planning to link to from the IG)

      Show
      Given the draft status of OAuth 2.1, we don't plan to explicitly point to OAuth 2.1 at this time, but there is indeed convergence around many behaviors. We will consider referencing OAuth 2.1 in a future release (and in the meantime, we can track this in the community-maintained best practices page on Confluence, at https://confluence.hl7.org/display/FHIRI/SMART+on+FHIR+Best+Practices – which are planning to link to from the IG)
    • Gino Canessa/Yunwei Wang: 13-0-0

    Description

      The new version of the SMART specification appears to add features that bring it in closer alignment with the OAuth 2.1 specification (in particular, PKCE and the addition of support for HTTP POST at the authorization resource.)  If there is an intent to formally align this specification with OAuth 2.1, we would also formally recommend other changes incorporated in the OAuth 2.1 specification.  These include:

      • Strict redirect_uri comparison per 4.1.1.1 [1]
      • Refresh token rotation required for public client applications (or, protection via a chosen cryptographic binding method; rotation seems most immediately accessible.) per 6.1 [2]

       

      [1]: The OAuth 2.1 Authorization Framework - 4.1.1.1

      [2]: The OAuth 2.1 Authorization Framework - 6.1

      Attachments

        Activity

          People

            Unassigned Unassigned
            jenni_syed Jenni Syed (Inactive)
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: