Security for Scalable Registration, Authentication, and Authorization, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 2.0.0-ballot built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-udap-security-ig/ and changes regularly. See the Directory of published versions
This guide supports consumer-facing client applications using the authorization code grant type.
Consumer-facing client applications SHALL obtain an access token for access to FHIR resources by following the OAuth 2.0 authorization code grant flow, with the additional options and constraints discussed below.
The workflow for obtaining an authorization code is summarized in the following diagram:
Client applications SHALL request an authorization code as per Section 4.1.1 of RFC 6749, with the following additional constraints. Client applications that also support the SMART App Launch IG are NOT REQUIRED to include a launch scope or launch context requirement scope. Client applications and servers MAY optionally support UDAP Tiered OAuth for User Authentication to allow for cross-organizational or third party user authentication as described in Section 6.
Servers SHALL handle and respond to authorization code requests as per Section 4.1.2 of RFC 6749.
Client applications and Authorization Servers SHALL conform to the additional constraints for authorization code flow found in Section 7.1 of this guide.
The workflow for obtaining an access token is summarized in the following diagram:
Client applications SHALL exchange authorization codes for access tokens as per Section 4.1.3 of RFC 6749, with the following additional options and constraints.
Client applications SHALL include a code_verifier
parameter and value in the token request as per Section 4.5 of RFC 7636.
If the client app has registered to authenticate using a private key rather than a shared client_secret, then the client SHALL use its private key to sign an Authentication Token as described in this section, and include this JWT in the client_assertion
parameter of its token request as described in Section 5.1 of UDAP JWT-Based Client Authentication and detailed further in Section 4.2.2 of this guide. For clients and servers that also support the SMART App Launch IG, this overrides the requirement for the client to use HTTP Basic Authentication with a client_secret in Section 7.1.3 of the SMART App Launch IG v1.0.0.
Authentication Tokens submitted by client apps SHALL conform to the general JWT header requirements above and SHALL include the following parameters in the JWT claims defined in Section 4 of UDAP JWT-Based Client Authentication:
Authentication JWT Claims | ||
---|---|---|
iss |
required |
The application's client_id as assigned by the Authorization Server during the registration process
|
sub |
required |
The application's client_id as assigned by the Authorization Server during the registration process
|
aud |
required | The FHIR Authorization Server's token endpoint URL |
exp |
required | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). |
iat |
required | Issued time integer for this authentication JWT, expressed in seconds since the "Epoch" |
jti |
required | A nonce string value that uniquely identifies this authentication JWT. See Section 1.2.4 for additional requirements regarding reuse of values. |
The maximum lifetime for an Authentication Token SHALL be 5 minutes, i.e. the value of exp
minus the value of iat
SHALL NOT exceed 300 seconds. The Authorization Server MAY ignore any unrecognized claims in the Authentication Token. The Authentication Token SHALL be signed and serialized using the JSON compact serialization method.
For client applications authenticating with a shared secret, the client application and server SHALL follow the token request and response protocol in Section 4.1.3 and Section 4.1.4 of RFC 6749.
Client applications authenticating with a private key and Authentication Token as per Section 4.2.1 SHALL submit a POST request to the Authorization Server’s token endpoint containing the following parameters as per Section 5.1 of UDAP JWT-Based Client Authentication. Client apps authenticating in this manner SHALL NOT include an HTTP Authorization header or client secret in its token endpoint request. The token request SHALL include the following parameters:
Token request parameters | ||
---|---|---|
grant_type |
required |
Fixed value: authorization_code
|
code |
required | The code that the app received from the Authorization Server |
redirect_uri |
conditional |
The client application's redirection URI. This parameter SHALL be present only if the redirect_uri parameter was included in the authorization request in Section 4.1, and their values SHALL be identical.
|
client_assertion_type |
required |
Fixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
|
client_assertion |
required | The signed Authentication Token JWT |
udap |
required |
Fixed value: 1
|
An Authorization Server receiving token requests containing Authentication Tokens as above SHALL validate and respond to the request as per Sections 6 and 7 of UDAP JWT-Based Client Authentication.
The Authorization Server SHALL return an error as per Section 4.6 of RFC 7636 if the client included a code_challenge
in its authorization request but did not include the correct code_verfier
value in the corresponding token request.
For all successful token requests, the Authorization Server SHALL issue access tokens with a lifetime no longer than 60 minutes.
This guide does not currently constrain the type or format of access tokens issued by Authorization Servers. Note that other implementation guides (e.g. SMART App Launch, IUA, etc.), when used together with this guide, may limit the allowed access token types (e.g. Bearer) and/or formats (e.g. JWT).
This guide supports the use of refresh tokens, as described in Section 1.5 of RFC 6749. Authorization Servers MAY issue refresh tokens to consumer-facing client applications as per Section 5 of RFC 6749. Client apps that have been issued refresh tokens MAY make refresh requests to the token endpoint as per Section 6 of RFC 6749. Client apps authenticate to the Authorization Server for refresh requests by constructing and including an Authentication Token in the same manner as for initial token requests.