Stream: inferno
Topic: aud validation
Josh Mandel (Nov 06 2020 at 21:47):
Does Inferno have a negative test to ensure that authorization fails when the required aud parameter is missing or mis-valued?
Josh Mandel (Nov 06 2020 at 21:48):
(This came up in our keycloak call -- https://docs.smarthealthit.org/authorization/best-practices/ "Access Token Phishing")
Robert Scanlon (Nov 09 2020 at 15:06):
Yes, we do specifically test for an incorrect AUD for standalone launches in the context of ONC Certification. Though I should move that to our more general set of SMART tests as well.
Josh Mandel (Nov 09 2020 at 15:08):
Okay - that'd be great since it sounds like possibly @Lee Surprenant did not hit this error when testing their keycloak server (or maybe another error masked it)
Robert Scanlon (Nov 09 2020 at 15:12):
If he only ran the non-ONC certification tests he wouldn't have come across it. Only if you are going through the whole set of ONC tests will you come across it. This one is near the end, along with a few other 'special case' tests because it requires more work on the part of the tester. The lack of standardized error response for this means that the tester needs to expect some kind of potentially unhelpful error message on the authorization server side, and then flip back to Inferno to acknowledge the launch didn't succeed.
Robert Scanlon (Nov 09 2020 at 15:20):
Screen-Shot-2020-11-09-at-10.18.02-AM.png
Robert Scanlon (Nov 09 2020 at 15:40):
I'll get these moved over.
Lee Surprenant (Nov 09 2020 at 16:03):
yeah, I tend to run the community tests since the ONC ones cover a lot of stuff we don't support
Last updated: Apr 12 2022 at 19:14 UTC
