Security for Scalable Registration, Authentication, and Authorization, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 2.0.0-ballot built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-udap-security-ig/ and changes regularly. See the Directory of published versions
This section contains general guidance applicable to multiple authorization and authentication workflows.
The constraints in the following subsections apply to all workflows utilizing the authorization code flow.
A Client application SHALL include the state
parameter in its authorization request. An Authorization Server SHALL return an error code of invalid_request
as per Section 4.1.2.1 of RFC 6749 if a client application does not include a state
value in its authorization request.
Servers SHALL include the state
parameter and corresponding value provided by the client application in the authorization response as per RFC 6749. The client application SHALL NOT proceed if the state
parameter is not included in the authorization response or its value does not match the value provided by the client application in the corresponding authorization request.
Client applications and Authorization Servers SHALL utilize Proof Key for Code Exchange (PKCE) with code_challenge_method
of S256
as defined in RFC 7636. An Authorization Server SHOULD return an error as per Section 4.4.1 of RFC 7636 if a client application does not include a code_challenge
is its authorization request.
The Authorization Server SHALL return an error in response to a token request as per Section 4.6 of RFC 7636 if the client included a code_challenge
in its authorization request but did not include the correct code_verfier
value in the corresponding token request.
The following constraints have been adapted from the TEFCA Faciliated FHIR SOP. Some of the constraints in that SOP conflict with constraints found elsewhere in this IG, or relate to requirements in other IGs such as the SMART App Launch IG. This will need to be resolved prior to STU2 publication. Feedback is requested.
A wildcard scope is a scope that can be alternatively represented as a set of non-wildcard scopes. An example of a wildcard scope is the SMART App Launch v1.0.0 scope patient/Observation.*
which can expanded to the set of two non-wildcard scopes: patient/Observation.read
and patient/Observation.write
. Granting the wildcard scope to a client application is equivalent to granting the corresponding expanded set of non-wildcard scopes.
The constraints enumerated below apply for scope negotiation between client applications and servers. Unless otherwise specified, these constraints apply for both registration requests and access token requests made by client applications, and the corresponding responses returned by servers.
The scopes_supported
metadata SHALL be present in the .well-known/smartconfiguration or .well-known/udap object, as applicable, and SHALL list all scopes supported including all supported wildcard scopes.
scopes_supported
metadata list.If a client application requests a wildcard scope and the server does NOT support wildcard scopes, then the server SHOULD respond with an error of “invalid_scope”.
scopes_supported
metadata.A server SHOULD respond with “invalid_scope” only if a wildcard scope is requested and not supported, or if none of the requested scopes are supported.
A server SHOULD return “invalid_scope” only if none of the scopes requested are available and/or not part of the scopes requested during registration.
scope
parameter in a token response if the set of scopes granted by the server to the client application is not identical to the set of scopes requested by the client application, or if the client application does not include a set of requested scopes in its request.This section provides an example UDAP Certification that can be used by client applications or third parties to declare additional information about the client application at the time of registration.
A client application or third party MAY construct a certification by constructing a signed JWT as detailed in this section. The certification SHALL contain the required header elements specified in [Section 1.2.3] of this guide and the JWT claims listed in the table below. The certification SHALL be signed by the client application operator or by a third party using the signature algorithm identified in the alg
header of the certification and with the private key that corresponds to the public key listed in the client’s X.509 certificate identified in the x5c
header of the certification. Recognized Certification JWT claims and server processing rules for Certifications submitted by a client application are detailed in UDAP Certifications and Endorsements for Client Applications. A trust community MAY define additional keys to be included in the extensions
object, as demonstrated in the example below.
Example Client Application Certification JWT Claims | ||
---|---|---|
iss |
required |
Issuer of the JWT -- unique identifying URI of the signing entity. This SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the signer's certificate included in the x5c JWT header and SHALL uniquely identify a single signing entity over time.
|
sub |
required |
Subject of the JWT -- unique identifying client URI. This SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the client's certificate and SHALL uniquely identify a single client app operator and applications over time.
For a self-signed certification, this is same as iss .
|
aud |
optional | The "registration URL" of the intended Authorization server(s), i.e. the same URL to which the registration request will be posted. If absent, this certification is intended for all Authorization Servers. The value can be a single string or array of strings. |
exp |
required |
Expiration time integer for this software statement, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). The exp time SHALL be no more than 3 years after the value of the iat claim.
|
iat |
required | Issued time integer for this software statement, expressed in seconds since the "Epoch" |
jti |
required | A nonce string value that uniquely identifies this software statement. See Section 1.2.4 for additional requirements regarding reuse of values. |
certification_name |
required | string with fixed value: "Example HL7 Client App Certification" |
certification_uris |
required | array of one string with fixed value: ["URI TBD"] |
grant_types |
required |
Array of strings, each representing a requested grant type, from the following list: "authorization_code" , "refresh_token" , "client_credentials" . The array SHALL include either "authorization_code" or "client_credentials" , but not both. The value "refresh_token" SHALL NOT be present in the array unless "authorization_code" is also present.
|
response_types |
conditional |
Array of strings. If grant_types contains "authorization_code" , then this element SHALL have a fixed value of ["code"] , and SHALL be omitted otherwise
|
scope |
required |
String containing a space delimited list of scopes that may be requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Note for client apps that also support the SMART App Launch framework: apps requesting the "client_credentials" grant type SHOULD request system scopes; apps requesting the "authorization_code" grant type SHOULD request user or patient scopes.
|
extensions |
optional | A JSON object containing one or more of the keys listed in the following section. |
Note: A certification self-signed by a client app operator can be used to declare the intended use of the application within a trust community. Certifications signed by a third party, such as the trust community administrator or an independent accreditor, can be used to assist servers in determining what a client application is authorized to do within a trust community. For example, a trust community administrator could use this certification to communicate the exchange purposes for which a particular client application operator has been approved.
This section lists two example extension keys that could be considered for inclusion in a Certification. When defining a Certification, a trust community MAY define one or more extension keys to be included in the extensions
object of the Certification JWT. The value of each extension key SHALL be a JSON value or a JSON object. For example, a Certification definition could specify a number, an array of strings, or a FHIR Questionnaire resource as the value of an extension key.
privacy_disclosures
extension key are derived from an example Certification previously published by Carequality, which can be viewed here.
Example Client Application Certification JWT Extensions Keys | ||
---|---|---|
exchange_purpose |
required | Array of strings, each containing a URI identifying an exchange purpose recognized by the trust community. |
privacy_disclosures |
optional |
A JSON object containing a set of privacy-related keys and acceptable values established by the trust community. Examples: 1. the key funding could be used to express the app's source of funding.
2. the key data_storage could be used to identify where a patient's data is stored.
3. the key data_access_notification could be used to indicate whether a user is notified when their data is accessed by someone else.
|