Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-42958

Add guidance for PKSE use

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive
    • Icon: Medium Medium
    • US UDAP Security (FHIR)
    • 1.0.0
    • Security
    • Registration
    • Hide

      Include in STU2, as new material. Required support for S256 hashing algorithm. Proposal is to add support for PKCE for server (discuss client), belongs in auth and token requests (4.1 and 4.2). Also in tiered OAuth (6.2). Add code challenge and code responses. Choice: 1) server must support it and clients should use or 2) servers must support AND clients must use (in token request). Group poll, preference for Option 1.

      Consider how this requirement impacts state. Intention is to align/build upon OAuth.

      Show
      Include in STU2, as new material. Required support for S256 hashing algorithm. Proposal is to add support for PKCE for server (discuss client), belongs in auth and token requests (4.1 and 4.2). Also in tiered OAuth (6.2). Add code challenge and code responses. Choice: 1) server must support it and clients should use or 2) servers must support AND clients must use (in token request). Group poll, preference for Option 1. Consider how this requirement impacts state. Intention is to align/build upon OAuth.
    • Dave Pyke / Joe Lamy : 14 - 0 - 0
    • Enhancement
    • Compatible, substantive

    Description

      PKSE is essential to avoid security incidence. The IG should have guidance and requirements for it's use as part of the flows.

      Attachments

        Activity

          People

            Unassigned Unassigned
            david.pyke David Pyke
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: