Stream: smart
Topic: Azure AD
Keith Boone (Aug 05 2016 at 07:01):
Anyone having any success with implementing SMART with Azure Active Directory? Any pointers or tips to share?
Brian Postlethwaite (Aug 05 2016 at 07:10):
I tried and had some issues, but haven't gone back to try again recently.
Very interested in the results here.
Brian Postlethwaite (Aug 05 2016 at 07:10):
Issue I came across was, funily enough, CORS.
But it was a little while ago now too.
Peter Bernhardt (Aug 08 2016 at 19:15):
We're having some issues, too. One of our guys is writing up a (or has already) an analysis of what he seeing and he's going to post to the SMART Google group.
Peter Bernhardt (Aug 08 2016 at 19:16):
Ironically, MS presented at Josh's SoF gathering recently. ;)
Peter Bernhardt (Aug 08 2016 at 19:18):
https://groups.google.com/forum/#!topic/smart-on-fhir/QH0w1Mo7duQ
Peter Bernhardt (Aug 08 2016 at 19:35):
Just refreshed myself on code i wrote a while ago for my SMART client, and I had to use the implicit flow for AD authorization for our server.
Grahame Grieve (Aug 08 2016 at 21:59):
please keep us informed. I had thought that MS had resolved things
Keith Boone (Aug 09 2016 at 11:09):
I had gone to the FHIR Round Table in part because the MS discussion specifically it listed a discussion of Azure and SMART. There was barely a mention of it on the last slide, and no discussion of any of the problems. That was very disappointing. That presentation didn't live up to its billing.
Josh Mandel (Aug 09 2016 at 12:09):
Yes. MS seems to have followed up by saying they're not going to support SMART:
I don’t believe AAD will support no secret for code flow BUT, as I understand it even if they did the CORS issue would still be there
Which certainly goes against the last thing they said in our May exchange.
I hope they'll reconsider this.
Grahame Grieve (Aug 09 2016 at 12:13):
yes I thought we had sorted this out , and resolved the concerns that the microsoft engineers had?
Peter Bernhardt (Aug 09 2016 at 16:55):
@Keith Boone yes, we had people from our team there, too, and they reported pretty much the same thing.
Peter Bernhardt (Aug 09 2016 at 16:57):
@Josh Mandel Several months ago I had a long twitter chat with Vittorio Bertocci, a security expert at MS and the primary architect of their OAuth implementation. I pointed him to the SMART site and he expressed concerns about the code flow. I wonder if you have had direct communication with him.
Josh Mandel (Aug 09 2016 at 19:10):
I don't think Vittorio was on our thread, no. Would be good to engage him.
Grahame Grieve (Aug 09 2016 at 23:03):
I will ask if we can share the thread with MS about the code flow.
Josh Mandel (Aug 09 2016 at 23:09):
Thanks for chiming in here, @Grahame Grieve !
Craig McClendon (Jan 17 2022 at 17:53):
Can anybody comment on the current state of using Azure Active Directory as the Authorization Server for standalone SMART apps?
As best I can tell, it requires using a proxy service in front of Azure AD documented here and here:
https://docs.microsoft.com/en-us/azure/healthcare-apis/azure-api-for-fhir/use-smart-on-fhir-proxy
https://github.com/azure-smart-health/smart-on-fhir-aad-proxy
Is this still the case? Are there any limitations or issues to be aware of?
Happy to hear any advice, alternatives, etc., from any folks who've gone down this path or integrated with AD in other ways.
Thanks.
Gino Canessa (Jan 18 2022 at 15:34):
@Caitlin Voegele @Brendan Kowitz
Brendan Kowitz (Jan 19 2022 at 18:52):
Right now I think the FHIR Proxy has the best implementation for dealing with SMART / AAD (https://github.com/microsoft/fhir-proxy).
Two issues I'm aware of are around SMART's "/" in the scopes. The second is the session based consent model, AAD by default only requires you to consent once to an app.
Craig McClendon (Jan 19 2022 at 18:59):
@Brendan Kowitz - For clarity, the AAD FHIR Proxy works around both the issues you mention, correct? Or are there still SMART use-cases that can't be met even utilizing the proxy. Thanks!
Brendan Kowitz (Jan 20 2022 at 19:38):
Yes, the proxy wraps/unwraps the scopes to work with AAD. For consent the proxy can initiate the consent screen on each auth request. I think its work exploring to see if it fits your solution.
Last updated: Apr 12 2022 at 19:14 UTC
