Stream: bulk data
Topic: Client requirement in bulk data authorization
Yunwei Wang (Aug 06 2021 at 19:43):
http://build.fhir.org/ig/HL7/bulk-data/authorization.html#protocol-details lists several client requirement during authorization process:
- content-type: application/x-www-form-urlencoded
- scope: system/(:resourceType|).(read|write|)
- grant_type: client_credentials
- client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 states that
The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions.
So server may accept authorization request with "incorrect" scope.
Should server reject client request with "incorrect" content-type, grant_type, client_assertion_type?
Josh Mandel (Aug 06 2021 at 19:59):
I'd say: servers may support additional grant types and assertion types; it's not "incorrect" necessarily -- it's outside the scope of this spec.
Yunwei Wang (Aug 06 2021 at 21:14):
If the grant_type client sent does not have 'client_credentials', for example, grant_type: authorization_code, could server just assume the client means grant_type:client_credentials?
Another example if client send content_type: application/json, could server ignore that and continue process the request?
Josh Mandel (Aug 06 2021 at 21:44):
Grant types should never be "assumed", no.
Last updated: Apr 12 2022 at 19:14 UTC
