Stream: smart
Topic: Public vs Confidencial Client
Timothy Akampa (Feb 09 2021 at 20:54):
Hi all,
My team is building a SMART on FHIR web app and we're leveraging the fhir-client.js library (https://github.com/smart-on-fhir/client-js). We understand the fhir-client does not support PKCE, and therefore we cannot securely authenticate and exchange tokens as a public client. My question is: How best can we use the FHIR client library to authenticate as a confidential client. Does that mean that all OAuth calls and FHIR resource calls will made in backend? Is there away to do FHIR.oauth2.authorize() from the backend and let the fontend make fhir calls on FHIR.ready()
Josh Mandel (Feb 09 2021 at 21:11):
We understand the fhir-client does not support PKCE, and therefore we cannot securely authenticate and exchange tokens as a public client
The current SMART specification does not require PKCE, so if you're talking to a SMARTv1 server, this statement shouldn't apply.
Josh Mandel (Feb 09 2021 at 21:12):
(We have forward looking work on a SMARTv2 spec, but it'd be a year at minimum before that makes it through the HL7 and follow-on regulatory process.)
Josh Mandel (Feb 09 2021 at 21:13):
At a higher level: If your app has a server-side component, we'd definitely recommend using that and building a confidential client. If your app doesn't have or need a server-side component, then I'd look at building a public client.
Timothy Akampa (Feb 09 2021 at 21:50):
Josh Mandel said:
At a higher level: If your app has a server-side component, we'd definitely recommend using that and building a confidential client. If your app doesn't have or need a server-side component, then I'd look at building a public client.
@Josh Mandel Thank you for your timely response. Right now the app does not have a server-side component, but talks to an OAuth authorization server that requires public clients to use PKCE. I would really appreciate it if you could share an open source reference implementation that uses the fhir-client.js library and implements a confidential client flow.
Josh Mandel (Feb 09 2021 at 21:55):
What you're describing is server behavior outside the SMART spec. So you may not find a SMART library that supports this. @Vladimir Ignatov nevertheless this would be a good feature;is there a reason you wouldn't want to include it?
Timothy Akampa (Feb 09 2021 at 23:23):
Josh Mandel said:
What you're describing is server behavior outside the SMART spec. So you may not find a SMART library that supports this. Vladimir Ignatov nevertheless this would be a good feature;is there a reason you wouldn't want to include it?
@Josh Mandel @Vladimir Ignatov We would really appreciate it if you could add PKCE support to the fhir-client.js. This will secure our apps against Authorization Code Interception Attack. In the meantime does anyone have a sample code that uses the fhir-client.js library and implements a confidential client flow?
Josh Mandel (Feb 09 2021 at 23:43):
https://github.com/t-zhao/client-js is a fork with PKCE support FWIW @Timothy Akampa
Vladimir Ignatov (Feb 10 2021 at 17:50):
Frankly, I didn't know that PKCE is coming to SMART so soon. In this case consider it being in my todo list.
There was this issue that I closed declining to add PKCE, but that was just temporary. The question was am I
going to add it soon, or should they use their existing fork. Since the fork exists and I know won't be able to
dedicate enough time in the next few moths, I had to let them know that they shouldn't rely on that just yet.
I just released new version (https://github.com/smart-on-fhir/client-js/releases/tag/v2.3.11) and won't be able
to spare much time to this project for a while, but once I get back to it I plan to give PKCE a try.
Last updated: Apr 12 2022 at 19:14 UTC
