Stream: smart
Topic: Clarification of requiring nonce in id_token if provided
David Teirney (Aug 14 2019 at 20:23):
I feel that some clarity is required regarding support for use of a nonce by a SMART on FHIR app.
We've just started testing integration with our solution being launched via SMART on FHIR. We're a confidential app that requires the identity of the user as we present content from our system and the EHR at the same time. We're using a standard OIDC Relying Party as part of our solution, which applies all security best practices - including the use of a nonce. We've had a 0 hit rate for that working so far.
One major EHR vendor has this to say. "The authorization code flow technically doesn't require it to be secure, and the SMART on FHIR specification didn't require it [use of the nonce]".
So, I'm seeking clarification here regarding whether complying with OIDC specification should be considered "par for the course" or whether the HL7 SMART on FHIR specification does need to call out some more things, like support for a nonce. And, as part of that, perhaps have examples that follow security best practices within the specification flow diagrams?
Josh Mandel (Aug 14 2019 at 20:50):
In general we try to point to OIDC rather that re-stating content from OIDC; we only try to specify extra details. But 1) showing best practices in examples, 2) ensuring test suites like Inferno test support, and 3) making any spot edits to content at http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html#scopes-for-requesting-identity-data all seem worthwhile.
Josh Mandel (Aug 14 2019 at 20:51):
At the very least it'd be good to capture issues at https://github.com/hl7/smart-app-launch and/or https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemAdd&tracker_id=677 so that when work begins for a v-next, we don't lose track.
Michele Mottini (Aug 14 2019 at 20:59):
Is support for OIDC (or at least openid profile scopes) now required? It used to be optional...
David Teirney (Aug 14 2019 at 21:24):
As a start I've created https://github.com/HL7/smart-app-launch/issues/295
David Teirney (Aug 14 2019 at 21:27):
@Michele Mottini that's a good question as well. My read of the spec wasn't that it was optional, but rather a SMART on FHIR app could optionally request the openid scope. However, Epic doesn't support OIDC...
Michele Mottini (Aug 14 2019 at 21:35):
Still optional? See http://hl7.org/fhir/smart-app-launch/conformance/index.html#smart-on-fhir-core-capabilities-and-capability-sets
Jenni Syed (Aug 14 2019 at 22:02):
I think it's also worth while discussing what specific threat vector this protects/what the benefits are
Jenni Syed (Aug 14 2019 at 22:05):
OAuth 2 state param seems to play a similar part in the SMART workflow
Josh Mandel (Aug 14 2019 at 22:08):
OIDC is optional per SMART, but please note that ONC's proposed rule would adopt SMART App Launch with the OIDC feature.
David Teirney (Aug 19 2019 at 22:56):
@Josh Mandel where's the best place to see what the ONC's proposed rules are?
Josh Mandel (Aug 19 2019 at 22:58):
healthit.gov/nprm is a good place to start
Isaac Vetter (Aug 20 2019 at 03:52):
And inferno is the implementation of these rules: https://inferno.healthit.gov/inferno/
Last updated: Apr 12 2022 at 19:14 UTC
