FHIR Chat · Should iat be required? · smart

Stream: smart

Topic: Should iat be required?

view this post on Zulip David Zadok (Mar 22 2022 at 19:51):

Hi All,

According to http://www.hl7.org/fhir/smart-app-launch/client-confidential-asymmetric.html#request exp must be no more than five minutes in the future. We'd like to verify this when consuming jwts, but given the possibility of clock-skew this isn't really possible. If iat is supplied we can easily compare those two claims to ensure the jwt conforms to the rule.

Does anyone else perform this, or a similar, check server-side? How does everyone feel about requiring iat?

view this post on Zulip Josh Mandel (Mar 22 2022 at 20:10):

The expectation is that clocks should accurate within a tolerance that is significantly better than 5 minutes. EHRs implementing this specification are already required by other ONC certification criteria to support NTP client functionality to keep times accurate; is this not the case in your deployment environment?

view this post on Zulip Josh Mandel (Mar 22 2022 at 20:12):

Looking at IAT, you would not necessarily be able to tell whether the requirements on expiration time were met. IAT only gives you an indication of what time the client thought it was when the client generated the token. You still need to assess whether the expiration time is valid with respect to your own server's understanding of the current time

view this post on Zulip David Zadok (Mar 22 2022 at 20:15):

While we might be able to safely rely on the time on our server, exp is going to have the same "issue" of being what the client thinks five minutes in the future is, exp-iat can be used to confirm a valid five minute window was used when the token was generated, then we can just use exp to determine the token is still valid based solely on server time.

view this post on Zulip Josh Mandel (Mar 22 2022 at 20:27):

Currently the only imperative on the server is to ensure that the expiration time on the token received is no more than 5 minutes beyond the time at which the server processes the token. The insurance time does not come into it. So knowing a client has started issuance time would not help you to meet this requirement.

(To be clear, I think there could be other reasons to look for issuance times, but they are beyond the current specification.)

view this post on Zulip David Zadok (Mar 22 2022 at 20:43):

Could we require iat even if the specs don't say we have to?

view this post on Zulip Josh Mandel (Mar 22 2022 at 21:02):

You as a server implementing support for the specification? No: because if you add additional requirements like this and impose them on clients, that means the clients will not be able to interoperably connect to your server without special effort. Assuming you're implementing this specification in the context of an EHR certification requirement, that is.

view this post on Zulip David Zadok (Mar 22 2022 at 21:03):

Thank you

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -