Stream: inferno
Topic: Public Client Standalone Launch With OpenID Connect
Jason Vogt (Jan 12 2022 at 18:44):
For the Public Client Standalone Launch With OpenID Connect test case can the support of PKCE or using client_assertion using a JWT be added to Inferno? The way the current use case sits there are security risks outlined in RFC 6819, https://datatracker.ietf.org/doc/html/rfc6819. Section 5.2.3, https://datatracker.ietf.org/doc/html/rfc6819#section-5.2.3, lists some of the methods we can use to mitigate these risks.
5.2.3.1 - don't provide secrets to public clients. We currently follow this and don't issue secrets to these clients.
5.2.3.7 - use strong client authentication. Absent PKCE, we also allow authorization by checking for a client_assertion using a JWT.
Without these capabilities in the inferno test tool, we will not be able to meet our security requirements and pass the test case. The security risks are far to great to let this be implemented as the test currently stands.
Thanks!
Jason Vogt (Jan 20 2022 at 04:34):
@Robert Scanlon @Yunwei Wang Do you guys have any feedback on the public client issue we are having?
Robert Scanlon (Jan 20 2022 at 15:06):
Hi @Jason Vogt, sorry for the slow response here. ONC asked us to implement this as an option and we'll have it done by the end of March. I can't say if ONC will allow this option for certification, as I don't speak for them and haven't seen any published clarification that they will allow it. The reason why I defer to them on this matter is that for certification we do not allow servers to impose extra requirements on clients as a general rule. This is a very reasonable extra requirement though (standardized, mentioned in SMART v1, encouraged as a best practice, etc).
Robert Scanlon (Jan 20 2022 at 15:11):
@Johnny Bender -- Can you say if ONC plans on putting out any clarification on this publicly in the coming weeks or months? Or has it already publicly stated that it is ok?
Robert Scanlon (Jan 20 2022 at 15:18):
@Jason Vogt -- do you have a public sandbox with this enabled that we can use as we implement this functionality? It is helpful to have some 3rd party systems to validate tests against (the more the better!)
Jason Vogt (Jan 20 2022 at 15:43):
@Robert Scanlon Yes, we do have a public endpoint setup that we have been using to test all of the scenarios from the website and not just locally. We would be able to assist with testing.
Robert Scanlon (Jan 20 2022 at 19:13):
Great, we'll reach out when we have something to start trying on external systems (within a few weeks).
Robert Scanlon (Jan 20 2022 at 19:21):
To clarify: the plan is to add PKCE support. I'm unsure about client_assertion.
Jason Vogt (Feb 04 2022 at 17:06):
@Johnny Bender Do you have any thoughts on Robert's question?
Keith Carlson (Feb 18 2022 at 16:35):
Hi all. ONC has updated the (g)(10) CCG with a clarification relevant to this discussion. The clarification is copied below and please feel free to sign up for the ONC Health IT Certification Program listserv to keep up with future updates!
Clarification to Paragraph 85 FR 170.315(g)(10)(v)(A)(1) (ONC Cures Act Final Rule):
As described in the ONC Cures Act Final Rule, we encourage implementers to adhere to industry best practices to mitigate Cross-Site Request Forgery (CSRF) and other known security threats (85 FR 25742). Proof Key for Code Exchange (PKCE) (Internet Engineering Task Force Request for Comments 7636) is an industry standard that can help mitigate CSRF and other known security threats. The ONC Health IT Certification Program will support the optional use of PKCE during authentication and authorization testing. Health IT developers that implement and require the use of PKCE should include documentation for their PKCE implementation as part of the API Documentation requirement at 45 CFR 170.315(g)(10)(viii) and API Transparency Conditions at 45 CFR 170.404(a)(2).
Chris Blair (Apr 05 2022 at 13:17):
Hello, on G10 Test 6.1.02, when I've launched the test pointed to the FHIR endpoint, the tool tries to get the authorization code from the FHIR endpoint instead of the authorize endpoint published in the smart-configuration and CapabilityStatement. Why is that?
Yunwei Wang (Apr 05 2022 at 13:38):
@Chris Blair Did you run 6.1 test only or did you run whole "ONC Certification (g)(10) Standardized API" test suite?
Chris Blair (Apr 05 2022 at 13:48):
Just 6.1
Yunwei Wang (Apr 05 2022 at 14:00):
OK. I noticed that our UI is a little bit confusing. We are still making updates there. In that popup dialog, there are three "Standalone FHIR endpoint" entries. What we really mean is: the first one is the authorization endpoint. the second one is the FHIR endpoint. and the third one is the token endpoint. image.png
Can you verify your input for these three endpoint?
Chris Blair (Apr 05 2022 at 14:07):
Ah yes, I had put the same FHIR endpoint into all three prompts. It's working better now. Thanks for explaining that.
Yunwei Wang (Apr 05 2022 at 14:30):
Great to know that helps. Would you mind raise an issue at https://github.com/onc-healthit/onc-certification-g10-test-kit/issues so we could track that UI issue. Thanks.
Chris Blair (Apr 05 2022 at 14:34):
It looks like it would be a duplicate of issues 49 and 58...
Yunwei Wang (Apr 05 2022 at 14:37):
thanks
Nathan Loyer (Apr 05 2022 at 18:45):
yeah I picked up the main branch in our deployment this week and I can confirm that the prior PRs resolved this. So this should be all set in the next release
Last updated: Apr 12 2022 at 19:14 UTC
