FHIR Chat · Revoked tokens still allows patient access in FHIR server · ibm

Stream: ibm

Topic: Revoked tokens still allows patient access in FHIR server

view this post on Zulip Sagar Sarvankar (Mar 29 2022 at 06:50):

Hello @Lee Surprenant ,

We have a situation, where we issue a token from oauth server. Using this token, we can then access FHIR patient resource.
After we revoke this token from our auth server, it is expected that this token is no more valid since it is not available on the oauth server.

Now, when we access FHIR patient resource with this revoked token, the IBM FHIR server response with 200 and the requested patient resource. It should have denied access and returned a 400, since the token that is used here is revoked.

This is one of the test cases that is tested by Inferno.

Please let me know your thoughts.

Thank you,
Sagar

view this post on Zulip Lee Surprenant (Mar 29 2022 at 11:15):

the access tokens should have a short lifespan and the client will be unable to get a new one. is it truly necessary?

view this post on Zulip Sagar Sarvankar (Mar 29 2022 at 13:40):

Thanks @Lee Surprenant for your response.

Let me see if by shortening the lifespan of the token will give us the desired behavior.
Is there a way where the IBM FHIR server can check if the token is revoked or not, by using the oauth servers's introspect URL before providing access to any of its resources?

Regards,
Sagar

view this post on Zulip Lee Surprenant (Mar 29 2022 at 13:58):

We're just using OpenLiberty's support for this. Specifically they have a couple different features that are relevant:

  1. mpJwt: https://www.openliberty.io/docs/21.0.0.3/reference/config/mpJwt.html
  2. openidConnectClient: https://www.openliberty.io/docs/21.0.0.3/reference/config/openidConnectClient.html

view this post on Zulip Lee Surprenant (Mar 29 2022 at 13:59):

originally I was working with openidConnectClient which supports token introspection

view this post on Zulip Lee Surprenant (Mar 29 2022 at 13:59):

but over time I moved to mpJwt (which does not)

view this post on Zulip Lee Surprenant (Mar 29 2022 at 14:01):

https://ibm.github.io/FHIR/guides/FHIRServerUsersGuide#53-openid-connect-and-oauth-20 mentions the OpenID Connect Client option, we don't have any doc for that...you'd need to configure it yourself based on the Liberty docs

view this post on Zulip Sagar Sarvankar (Mar 29 2022 at 15:21):

Ok @Lee Surprenant , I will go through the links that you have shared here.

Thank you,
Sagar

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -