FHIR Chat · unrequested scope fails touchstone · inferno

Stream: inferno

Topic: unrequested scope fails touchstone

view this post on Zulip Lee Surprenant (Jun 24 2020 at 17:38):

I was testing smart app launch with a new identity server and I found that it is including an unrequested scope in its token response. I think this is permitted (per https://tools.ietf.org/html/rfc6749 at least), but it causes Inferno to mark the test failed:

Token response contained unrequested scopes: <bad_scope_here>

view this post on Zulip Lee Surprenant (Jun 24 2020 at 17:39):

is inferno being overly-strict, or is this behavior actually prohibited in SMART (or somewhere else)?

view this post on Zulip Reece Adamson (Jun 24 2020 at 21:43):

@Lee Surprenant did you observe this on Inferno Program or Community and which specific test was it? Just want to make sure I'm looking at the right thing

For token refresh the scopes must be a strict subset of the scopes granted in the original launch (additional details here on this previous issue). If you're seeing this on another test then there may be a bug or some other requirement that I have forgotten, but that we should have included in the test description (and should update if we haven't).

view this post on Zulip Lee Surprenant (Jun 24 2020 at 21:50):

This was on community edition Version 2.9.0

view this post on Zulip Lee Surprenant (Jun 24 2020 at 21:50):

I will review that issue in a moment, thanks

view this post on Zulip Lee Surprenant (Jun 24 2020 at 22:10):

ok, i reviewed that isssue and I think it is different

view this post on Zulip Lee Surprenant (Jun 24 2020 at 22:10):

my issue is during the initial token request

view this post on Zulip Lee Surprenant (Jun 24 2020 at 22:12):

SLS-08: Token exchange response body contains required information encoded in JSON

view this post on Zulip Lee Surprenant (Jun 24 2020 at 22:12):

specifically this part:

scope must be a strict subset of the requested scopes, or empty.

view this post on Zulip Lee Surprenant (Jun 24 2020 at 22:13):

I'm not even saying its wrong, I'm just wondering where that requirement is coming from

view this post on Zulip Jenni Syed (Jun 25 2020 at 14:39):

That is wrong, I believe. As stated/linked, OAuth allows the server to completely override what the client asks for.

view this post on Zulip Yunwei Wang (Jun 25 2020 at 15:02):

@Lee Surprenant Yes. That is bug in Inferno. Do you mind to create a github issue? Thank you.

view this post on Zulip Lee Surprenant (Jun 25 2020 at 15:18):

thanks jenni and yunwei. https://github.com/onc-healthit/inferno/issues/464
i do think it should verify that you can get some set of SMART scope back, but not sure exactly how that should work

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -