FHIR Chat · Do you support PKCE in your OAuth2 server? · smart

Stream: smart

Topic: Do you support PKCE in your OAuth2 server?

view this post on Zulip Isaac Vetter (Oct 28 2020 at 18:58):

Hey Guys -- this PR suggests adding support for PKCE in SMART. Would it be reasonable to require SMART servers to support PKCE?

view this post on Zulip Michele Mottini (Oct 28 2020 at 21:31):

Our server supports PKCE, our client does not (secrets are handled server-side, never by the client app, so that seems OK)

view this post on Zulip Isaac Vetter (Oct 28 2020 at 21:50):

Thanks Michele. I was thinking of trying to tie a client requirement to it's use of redirect uri protocols other than http(s), which I think is both reasonable and targeted. The big question is should all SMART servers be required to support PKCE ...

view this post on Zulip Michele Mottini (Oct 28 2020 at 21:55):

redirect uri protocols other than http(s),

Apps can use universal links, resulting in http(s) redirect even if they go to an app and not a server

view this post on Zulip Michele Mottini (Oct 28 2020 at 21:56):

Actually apps _have_ to use universal links because registrations with non-https redirect are rejected

view this post on Zulip Isaac Vetter (Oct 28 2020 at 21:58):

exactly. PKCE support allow secure non-https redirect urls and apps that are already making use of univeral/app/uri handlers don't need PKCE.

view this post on Zulip David Pyke (Oct 29 2020 at 13:12):

PKCE was designed for apps, maybe it could be SHALL for them and SHOULD for EHR?

view this post on Zulip Josh Mandel (Oct 29 2020 at 15:31):

@David Pyke An app can't use PKCE if the EHR doesn't support it. Are you saying EHRs would decide whether to support PKCE, and if a specific EHR supports it, then apps must use it?

view this post on Zulip David Pyke (Oct 29 2020 at 15:32):

Yes, sorry. I should have phrased that better

view this post on Zulip Michele Mottini (Oct 29 2020 at 15:50):

and if a specific EHR supports it, then apps must use it

Please no

view this post on Zulip Josh Mandel (Oct 29 2020 at 15:53):

:-) Yeah, I agree this would be problematic @Michele Mottini. (At this stage, just trying to understand people's perspectives.)

view this post on Zulip Pascal Pfiffner (Oct 29 2020 at 17:51):

Agree PKCE is not necessary if universal links are used. Should we suggest tying a SHOULD for apps that use non-https redirects, if the EHR supports it?

view this post on Zulip Josh Mandel (Dec 08 2020 at 16:40):

For tomorrow's Argonaut call @Isaac Vetter please note that I've applied a few updates to your PKCE PR at https://github.com/HL7/smart-app-launch/pull/318/commits/7302a50ced30840749cdb4d15a7ebf8c40e00b87 -- this accounts for our discussion from last time. If you have a chance to review and share any notes ahead of time, that'd be great.

view this post on Zulip Pascal Pfiffner (Dec 09 2020 at 15:58):

Looks good to me!

view this post on Zulip Isaac Vetter (Dec 09 2020 at 18:53):

<retracted>

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -