FHIR Chat · invalid aud value · smart

Stream: smart

Topic: invalid aud value

view this post on Zulip Muhammad Asif (Jul 19 2021 at 14:51):

Hello,
I have setup SMART Dev Sandbox (https://github.com/smart-on-fhir/smart-dev-sandbox). I'm launching our Smart app that is secured with KeyCloak. On launch getting error bad_audience (bad audience value).
i tried setting aud parameter value to to token endpoints of SMART dev sandbox (i.e. http://localhost:4013/v/r3/auth/token) but error persists.

Can someone guide what exact value aud parameter needs to be?

view this post on Zulip Josh Mandel (Jul 19 2021 at 15:54):

Can you say more about what the role of KeyCloak is, and what the role of the SMART Launcher is in your setup? It's not clear how your are planning/attempting to integrate these tools.

view this post on Zulip Vladimir Ignatov (Jul 19 2021 at 16:11):

The SMART Launcher is designed to give you the ability to test an "unsecured" app and see how it would behave when deployed to a secure SMART on FHIR environment. Trying to combine that with another auth layer is not necessary (nor supported). Try launching the app without KeyCloak to see if that works.

view this post on Zulip Muhammad Asif (Jul 19 2021 at 16:23):

I agree its to test a unsecured app. Actually i am trying to use the launcher as alternative to some EHR. Thus without going into EHR itself we can easily demo the app and manipulate data in FHIR server.

view this post on Zulip Muhammad Asif (Jul 19 2021 at 16:24):

Actually all the oAuth flow is done between KC and FHIR server. We have IDPs configured in KC, and using identity federation these IDPs in KC does all the oAuth2 authentication for smart app..

For example in IDP we have configured FHIR server auth and token endpoints. And using these KC handle all the authentication. I am trying to pass aud as query parameter in auth end point URL.

view this post on Zulip Muhammad Asif (Jul 19 2021 at 16:39):

Is it possible to turn off aud checking feature in dev box?

view this post on Zulip Vladimir Ignatov (Jul 19 2021 at 16:55):

Is it possible to turn off aud checking feature in dev box?

No, unless you want to modify the code...

I'm not sure I follow. If you handle OAuth yourself (via KC), then what do you need the launcher for? Perhaps you only need a FHIR server instead?

As for the current issue, you need to pass your FHIR base URL as aud query parameter to the authorize endpoint. However, the app being launched should do that for you, based on the iss launch parameter that it receives. Please verify that your FHIR base URL (wherever you set that in KC) is the same as the iss sent while launching the app.

view this post on Zulip Muhammad Asif (Jul 19 2021 at 17:50):

Sure i will double check and keep you posted

view this post on Zulip Muhammad Asif (Jul 20 2021 at 08:38):

Yup it get passed specifying exact FHIR base URL as in iss. Thank you for your help.
There are some epic specific context parameters get passed to SOF app. Now trying for those.

view this post on Zulip Muhammad Asif (Aug 05 2021 at 06:41):

It worked once had correct aud value. Thank you.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -