Stream: smart
Topic: redirect_uri
Heath Frankel (Sep 16 2021 at 10:54):
Is it allow able to include a parameter or fragment in the redirect_uri in the auth request and have it returned to the app at the end of the authorisation sequence.
I have tested this against the launch.smarthealthit.org server and it doesn't return a code parameter in the redirect when I include a parameter but works fine when I include a fragment.
Another Auth server just gives me an Invalid Redirect response.
Example: redirect_uri=http%3A%2F%2Flocalhost%3A%23abc
Dan Cinnamon (Sep 16 2021 at 18:37):
Hi Heath- this is what you can use the “state” parameter for. Its a value that you provide that will be returned untouched from the authz server. The main consideration though is that the state parameter is also used to help protect against various attacks on the protocol so therefore it cannot be a guessable value. So one approach would be to encode your desired value in a signed blob like a Jwt that you can use to both communicate information, but can also be validated
Heath Frankel (Sep 17 2021 at 03:52):
Thanks Dan. I am using the SMART JS Client for the SMART Launch and the generation and management of state is buried deep inside the library. Although I could look at modifying the library, I'm reluctant to have to maintain a fork of it.
So I shouldn't use fragment in the redirect_uri for this purpose?
Michele Mottini (Sep 17 2021 at 13:51):
So I shouldn't use fragment in the redirect_uri for this purpose?
Most server would reject that as an unregistered redirect URL, so it won't work
Stephen MacVicar (Sep 17 2021 at 14:18):
The OAuth 2.0 Threat Model and Security Considerations explicitly states "the "redirect_uri" should be the full URI". So your ability to include a fragment is dependent upon servers disregarding this advice.
Vladimir Ignatov (Sep 17 2021 at 16:01):
I think you should read that as "full URL and not a relative one".
Josh Mandel (Sep 17 2021 at 16:15):
So I shouldn't use fragment in the redirect_uri for this purpose?
Correct; the only "variable" part of a redirect (i.e., the only part that changes across multiple launches) will be the auth-server-supplied query params (code and state), and of these, the only one you control is state. So the advice is: create a high-entropy random state value and attach any state you need to track to this value, within your client.
Josh Mandel (Sep 17 2021 at 16:15):
That prevents external parties from "tricking" your app by injecting additional parameters.
Last updated: Apr 12 2022 at 19:14 UTC
