Loading...

XML

Word

Printable

JSON

Details

Type: Change Request
Resolution: Persuasive
Priority: Medium

Specification:

US UDAP Security (FHIR)
Raised in Version:

current
Work Group:

Security
Related URL:
https://build.fhir.org/ig/HL7/fhir-udap-security-ig/user.html
Related Page(s):

Consumer-Facing
Business-to-Business
Tiered OAuth for User Authentication
Related Section(s):
(Tiered) 6.2, (Consumer) 4.1, (B2B) 5.1
Grouping:
- STU2
Resolution Description:

Hide

Clarify/explicitly assert that state is required in all authorization flow patterns. Sections 4.1-2, 5.1-2, 6.1-2.

Consideration of also explicitly require client validation of state.

For inclusion into STU2 ballot.

Show
Clarify/explicitly assert that state is required in all authorization flow patterns. Sections 4.1-2, 5.1-2, 6.1-2. Consideration of also explicitly require client validation of state. For inclusion into STU2 ballot.
Resolution Vote:
Joe LAmy / James Carter : 13 - 0 - 0
Change Category:
Enhancement
Change Impact:
Compatible, substantive

Description

The state parameter in the authorization request has inconsistent/missing guidance.

Generic auth code flow
- OAuth 2: SHOULD include state
- HL7 UDAP (Consumer) 4.1, (B2B) 5.1: Silent
- UDAP.org JWT-based client authentication 3.1: Silent but example shows state
Tiered OAuth: between client and data holder
- HL7 UDAP: Silent
- UDAP.org Tiered OAuth section 2: Silent, but:
  - Example shows state
  - And client SHALL verify in section 4.2
Tiered OAuth: between data holder and IdP
- HL7 UDAP: Silent but data holder SHALL verify
- UDAP.org Tiered OAuth section 3.4: SHALL

Please clarify whether it's intended to be a SHALL by any client, by only client using tiered, etc., and if not, then please make the verification conditional.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Joseph M. Lamy

Watchers:: 2 Start watching this issue

Dates

Created:: 2023-07-03 07:10

Updated:: 2024-02-05 09:08

Resolved:: 2023-11-14 07:43

Vote Date:: 2023-11-14