Details
-
Change Request
-
Resolution: Unresolved
-
Medium
-
US UDAP Security (FHIR)
-
1.0.0
-
Security
-
Discovery
-
2.4
Description
Section 2.4 describes how to discover metadata when a given resource server supports multiple trust communities.
If a client only has a URL to a desired resource, there might be some missing steps before discovery: knowing which trust communities are supported by that resource server, knowing if the server requires the community to be specified or applies a default, and what that default would be, knowing if there is a preferred trust community.
Consider the following examples where a client only has a URL to a desired resource:
- Client supports community X, server supports community Y
- Server doesn't support community parameter, because "I only support one trust community".
- Client asks for community X, server ignores (or client doesn't specify community), server returns Y metadata
- Client signs SW statement JWT with X
- Server validates the SW statement JWT and rejects
- This is ok, because this client never could have talked to this server, but not ideal, because might be hard to tell this apart from other JWT validation errors
- Client supports community X, server supports communities X, Y, defaults to Y if not supplied
- Client doesn't specify community, server returns Y metadata
- Client signs SW statement JWT with X
- Server validates the SW statement JWT and rejects
- This is a problem. Client needs to know they could communicate if they ask for X explicitly
- Client supports communities X, Y, server supports communities X, Y, prefers Y
- Client asks for community X, server returns X metadata
- Client signs SW statement JWT with X
- Server validates the SW statement JWT and accepts
- Not sure this is a problem, because not sure if "server community preference" is a thing. Should it be?
It seems we could address this in a few potential ways:
- Require clients to use community parameter
- Require servers to support community parameter even if only one community supported and reject unrecognized (with 404?)
- Figure a way to express a server's default community, perhaps in a directory
- Figure a way to express a desired trust community directly in a resource or in a Bundle
- Maybe differentiate between "must use this" and "prefer you use this"