Stream: smart
Topic: launch.smarthealthit.org signing algorithms
Sean McIlvenna (May 27 2020 at 20:24):
I'm trying to validate a JWT from launch.smarthealthit.org... I had logic setup to work with RS256-signed JWTs, but I see that the JWT provided by launch.smarthealthit.org has an algorithm of HS256, while the keys provided by https://launch.smarthealthit.org/keys are signed with RS256. Does anyone have any experience validating these JWT's using Java? I don't understand why the /keys are signed with RS256, while the JWT is signed with RS256, and the code I have in place that was working with generic (non-smart-on-fhir) oauth2 was working fine, and is not working in this case.
Josh Mandel (May 27 2020 at 20:36):
This sounds like a bug especially since there's no shared secret in the Launcher that could be used for an HMAC -- can you share an example of a signed token for discussion here?
Josh Mandel (May 27 2020 at 20:37):
@Vladimir Ignatov FYI
Sean McIlvenna (May 27 2020 at 20:42):
I think I figured something out... it seems the access token is signed with HS256, while the id token is signed with RS256
Sean McIlvenna (May 27 2020 at 20:42):
I should probably be validating the id token, not the access token?
Sean McIlvenna (May 27 2020 at 20:42):
but, I would still think the access token should be signed with RS256
Josh Mandel (May 27 2020 at 20:42):
Correct! The format of the access token is unspecified
Sean McIlvenna (May 27 2020 at 20:43):
got it
Sean McIlvenna (May 27 2020 at 20:43):
ok
Josh Mandel (May 27 2020 at 20:43):
Apps shouldn't try to "read" it
Sean McIlvenna (May 27 2020 at 20:43):
thanks for clarifying/confirming @Josh Mandel
Josh Mandel (May 27 2020 at 20:43):
(token introspection API is the official way to interpret a token)
Last updated: Apr 12 2022 at 19:14 UTC
