Stream: FHIRcast
Topic: hub.secret
Josh Mandel (Jan 17 2019 at 19:55):
In the FHIRcast overview presentation I see:
Josh Mandel (Jan 17 2019 at 19:55):
But the websub spec says that the secret is to "allow signature of the content distribution" rather than the subscription request.
Josh Mandel (Jan 17 2019 at 19:56):
Importantly, the websub spec expects that the secret is set by the client and not verified or checked by the server in any way, but rather used by the server in authenticating (basically: signing) subsequent content distribution messages back to the client.
Isaac Vetter (Jan 17 2019 at 20:20):
Thanks, Josh! This is a copy-paste error in the slides. That textual description is the definition of the hub.challenge, the description of the hub.secret is:
Unique, random secret string, used to authenticate Hub to app during event notification.
This is correct in the spec (just the slides are wrong).
Last updated: Apr 12 2022 at 19:14 UTC
