Stream: connectathon mgmt
Topic: Direct/Certificates
Julie Maas (Sep 29 2018 at 14:17):
Active discussion about the difference between regular client ID/secret and certificate-based authentication scenarios at the table now. Join us!
Julie Maas (Sep 29 2018 at 15:05):
How does client authentication work with FHIR Server and OAuth Server when using trusted certificates? Discussing at the table now. Welcome to join us.
Pascal Pfiffner (Sep 29 2018 at 16:52):
Would be highly interested in a summary of this discussion!
Josh Mandel (Sep 29 2018 at 17:00):
Ditto. Would be great to compare with the SMART backend service approach (where clients sign JWTs to obtain access tokens, but without explicit dependency on certificate infrastructure).
Julie Maas (Sep 30 2018 at 17:47):
A lot of the same steps, but with added capability of trust validation (verified network participant, certificate still valid, etc.) and certificate details validated by some trusted independent 3rd party.
Julie Maas (Sep 30 2018 at 17:52):
Ditto. Would be great to compare with the SMART backend service approach (where clients sign JWTs to obtain access tokens, but without explicit dependency on certificate infrastructure).
@Josh Mandel A lot of the same steps, but with added capability of trust validation (verified network participant, certificate still valid, etc.) and certificate details validated by some trusted independent 3rd party.
Grahame Grieve (Oct 01 2018 at 11:17):
I don't understand why those things - which are inherent properties of certificates - are different between the 2 approaches
Josh Mandel (Oct 01 2018 at 12:13):
In one approach, clients to register just say "here are my public keys, available at URL protected by TLS." In the other they say "here is a certificate, generally created by a third-party declaring that these are my keys and also declaring a bunch of other verified attributes about me"
Grahame Grieve (Oct 01 2018 at 12:31):
but the jwks can carry that additional stuff, no?
Last updated: Apr 12 2022 at 19:14 UTC
