FHIR Chat · Vonk SMART on FHIR Authentication · dotnet

Stream: dotnet

Topic: Vonk SMART on FHIR Authentication

view this post on Zulip Sven-Eric Matthes (Dec 03 2019 at 10:46):

We are currently facing some problems with the SMART on FHIR Authentication with the Vonk FHIR Server. Our IdentityProvider does not provide an audience claim in the Access Token (and the company behind that seems unwilling to change that behaviour) and it seems like the audience check in the token validation cannot be disabled in the vonk configuration... is there any possibility to disable the audience check? Another thing that we can't figure out is how to configure Introspection in the Vonk configuration because introspection endpoints are usually secured... More options to configure the Authentication in detail and more information about whats going on here would be really helpful...

view this post on Zulip Christiaan Knaap (Dec 03 2019 at 16:02):

Thanks for bringing this to our attention. We'll look into it, but it may need a bit of time.

view this post on Zulip Sven-Eric Matthes (Dec 04 2019 at 13:12):

Thanks for your reply, I look forward to hear from you again with more informations or new configuration options

view this post on Zulip Christiaan Knaap (Dec 12 2019 at 13:23):

@Sven-Eric Matthes : Update on this: you currently cannot avoid Audience validation through the settings. But we can easily adjust that to skip Audience validation if there is no Audience configured in the Vonk settings. We'll do that for the next release.

view this post on Zulip Christiaan Knaap (Dec 12 2019 at 13:47):

Configuration of token introspection is a bit more work. We'll add it to the todo list, but in the meantime you could fill in this need by creating a plugin that sits in front of the SMART-on-FHIR plugin (so the order of the plugin should be < 2000). The plugin would be structured along the lines of this gist.

view this post on Zulip Josh Mandel (Dec 12 2019 at 14:15):

Just to check: are you using your authorization server to generate tokens for any other services, or only for vonk? Audience validation is an important step anytime tokens might be generated for more than one audience. (I've seen projects make serious security errors by trying to skip audience validation.)

view this post on Zulip Vadim Peretokin (Feb 17 2020 at 11:32):

For anyone else looking, disabling audience vaidation is now available in Vonk 3.2.0

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -