FHIR Chat · Well known Smart-Configuration token_endpoint · smart

Stream: smart

Topic: Well known Smart-Configuration token_endpoint

view this post on Zulip Sagar Shah (Aug 16 2021 at 21:35):

We plan to use Ory Hydra Open ID Connect, which has authorize and token endpoint as per OIDC specs. But it does not follow smart protocol and does not return patient context in the access token response. To handle this we have created a proxy component on top of the Open ID provider and we publish this proxy's auth and token endpoint on /.well-known/smart-configuration FHIR api. This solves the problem and this gives the token with patient context as well in the response ( as handled in proxy)

What we recently came across is the need of token url could be used for backend services as well using jwks client assertions. We see a challenge here that signed assertion with proxy's token endpoint will always be invalidated by the underlying OpenID provider as audience claim in client assertion is not matching the actual OAuth token endpoint. Did anyone face similar issue before? What are the suggested ways to overcome this? Is it mandatory to prpovide token endpoint information on /.well-known/smart-configuration or can it be documented as different endpoint for authorization flow vs backend services flow?
Please advise.

Regards,
Sagar

view this post on Zulip Josh Mandel (Aug 16 2021 at 21:52):

Is it mandatory to prpovide token endpoint information on /.well-known/smart-configuration

This is mandatory, relative to the FHIR Server base URL. Keep in mind that this file doesn't necessarily need to be hosted on the same domain as your authorization server; it's relative to your FHIR server.

view this post on Zulip Sagar Shah (Aug 16 2021 at 22:02):

Thanks for clarying it quick!

view this post on Zulip Sagar Shah (Aug 16 2021 at 22:06):

We have hosted that on FHIR Server itself. but only issue we are facing here is with proxy's token endpoint being put in that smart config token endpoint instead of actual Auth token endpoint, We went this route challenge to support returning the patient context in the access token response. It seems we need an alternative way to keep single token endpoint in place

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -