Stream: smart
Topic: What should the value of the aud param be?
Ryan Conley (Sep 14 2021 at 20:12):
From the documentation it simply says this:
URL of the EHR resource server from which the app wishes to retrieve FHIR data. This parameter prevents leaking a genuine bearer token to a counterfeit resource server. (Note: in the case of an EHR launch flow, this aud value is the same as the launch's iss value.)
Then in the example it appears that the aud param should be the url up to and including everything you would need to construct a valid query url when given a relative url. By this I mean https://fhir.server.com/R4 (use an R4 server as an example).
So my question is should the aud param url be https://fhir.server.com/R4 or https://fhir.server.com ?
Josh Mandel (Sep 14 2021 at 20:15):
The aud parameter should be a valid FHIR server base URL. In other words, calling ${aud}/metadata should return metadata for the server. FHIR imposes no rules on what a base URL needs to look like. So either of the examples you wrote could work, depending on the actual behavior. To give a specific example: http://hapi.fhir.org/baseR4 is a valid base and http://hapi.fhir.org is not, because the latter... isn't a FHIR server base URL.
Last updated: Apr 12 2022 at 19:14 UTC
