Stream: smart
Topic: Confidential apps
Jenni Syed (Jun 30 2020 at 17:58):
The SMART spec calls out both public and confidential apps, and references the general OAuth2 framework/spec where these are defined. And then, in conformance it calls out a specific capability referencing "SMART's confidential client profile (symmetric secret auth)". However, I don't see the actual profile linked or a link to an OAuth 2 profile that defines this more specifically - is there one?
Jenni Syed (Jun 30 2020 at 17:59):
We're making some assumptions about what this is... but want to make sure those are correct (and log something to update the spec to clarify). :)
Josh Mandel (Jun 30 2020 at 23:34):
It's just referring to the guidance in the SMART IG on how to manage confidential clients -- it's not referring to an external "profile".
Jenni Syed (Jun 30 2020 at 23:35):
so there's no specific spec to use to determine what the rules are around the symmetric secrets?
Josh Mandel (Jun 30 2020 at 23:47):
Rules like entropy and such? No. Just guidance about when symmetric secrets (vs no secrets) are a good fit.
Last updated: Apr 12 2022 at 19:14 UTC
