Details
-
Change Request
-
Resolution: Unresolved
-
Medium
-
US UDAP Security (FHIR)
-
current
-
Security
-
Consumer-Facing
-
4.2.1, 4.2.2
Description
In section 5.2.1, it's made clear that this IG uses JWT-based client auth: "Client apps following this guide will have registered to authenticate using a private key rather than a shared client_secret. Thus, the client SHALL use its private key to sign...."
But sections 4.2.1 and 4.2.2 read like client secret is an available option for clients using B2C flows: "If the client app has registered to authenticate using a private key rather than a shared client_secret,....", "For client applications authenticating with a shared secret,...."
It doesn't appear that client secret is an option for any flow, given that Discovery limits token_endpoint_auth_methods_supported to ["private_key_jwt"].
Please resolve.
Attachments
Issue Links
- mentioned in
-
Page Loading...