Details
-
Change Request
-
Resolution: Persuasive
-
Medium
-
US UDAP Security (FHIR)
-
current
-
Security
-
Consumer-Facing
Business-to-Business
Tiered OAuth for User Authentication -
(Tiered) 6.2, (Consumer) 4.1, (B2B) 5.1
-
-
Joe LAmy / James Carter : 13 - 0 - 0
-
Enhancement
-
Compatible, substantive
Description
The state parameter in the authorization request has inconsistent/missing guidance.
- Generic auth code flow
- OAuth 2: SHOULD include state
- HL7 UDAP (Consumer) 4.1, (B2B) 5.1: Silent
- UDAP.org JWT-based client authentication 3.1: Silent but example shows state
- Tiered OAuth: between client and data holder
- HL7 UDAP: Silent
- UDAP.org Tiered OAuth section 2: Silent, but:
- Example shows state
- And client SHALL verify in section 4.2
- Tiered OAuth: between data holder and IdP
- HL7 UDAP: Silent but data holder SHALL verify
- UDAP.org Tiered OAuth section 3.4: SHALL
Please clarify whether it's intended to be a SHALL by any client, by only client using tiered, etc., and if not, then please make the verification conditional.