Security for Scalable Registration, Authentication, and Authorization
1.0.1 - STU 1 Update United States of America flag

Security for Scalable Registration, Authentication, and Authorization, published by HL7 International - Security WG. This is not an authorized publication; it is the continuous build for version 1.0.1. This version is based on the current content of https://github.com/HL7/fhir-udap-security-ig/ and changes regularly. See the Directory of published versions

Registration

The requirements in this section are applicable to both consumer-facing and B2B apps and the servers that support them.

Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data.  Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.

Authorization Servers SHALL support dynamic registration as specified in the UDAP Dynamic Client Registration profile with the additional options and constraints defined in this guide. Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a client_id. Other client types SHOULD follow the manual registration processes for each Authorization Server. Future versions of this guide may add support for dynamic client registration by public clients which cannot protect a private key.

The dynamic registration workflow is summarized in the following diagram:

Client AppAuthorization ServerRegistration requestRegistration response

Software Statement

To register dynamically, the client application first constructs a software statement as per section 2 of UDAP Dynamic Client Registration.

The software statement SHALL contain the required header elements specified in Section 1.2.3 of this guide and the JWT claims listed in the table below.  The software statement SHALL be signed by the client application operator using the signature algorithm identified in the alg header of the software statement and with the private key that corresponds to the public key listed in the client’s X.509 certificate identified in the x5c header of the software statement.

Software Statement JWT Claims
iss required Issuer of the JWT -- unique identifying client URI. This SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the client's certificate included in the x5c JWT header
sub required Same as iss. In typical use, the client application will not yet have a client_id from the Authorization Server
aud required The Authorization Server's "registration URL" (the same URL to which the registration request  will be posted)
exp required Expiration time integer for this software statement, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). The exp time SHALL be no more than 5 minutes after the value of the iat claim.
iat required Issued time integer for this software statement, expressed in seconds since the "Epoch"
jti required A nonce string value that uniquely identifies this software statement. This value SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the exp claim has passed
client_name required A string containing the human readable name of the client application
redirect_uris conditional An array of one or more redirection URIs used by the client application. This claim SHALL be present if grant_types includes "authorization_code" and this claim SHALL be absent otherwise. Each URI SHALL use the https scheme.
contacts required An array of URI strings indicating how the data holder can contact the app operator regarding the application. The array SHALL contain at least one valid email address using the mailto scheme, e.g.
["mailto:operations@example.com"]
logo_uri conditional A URL string referencing an image associated with the client application, i.e. a logo. If grant_types includes "authorization_code", client applications SHALL include this field, and the Authorization Server MAY display this logo to the user during the authorization process. The URL SHALL use the https scheme and reference a PNG, JPG, or GIF image file, e.g. "https://myapp.example.com/MyApp.png"
grant_types required Array of strings, each representing a requested grant type, from the following list: "authorization_code", "refresh_token", "client_credentials". The array SHALL include either "authorization_code" or "client_credentials", but not both. The value "refresh_token" SHALL NOT be present in the array unless "authorization_code" is also present.
response_types conditional Array of strings. If grant_types contains "authorization_code", then this element SHALL have a fixed value of ["code"], and SHALL be omitted otherwise
token_endpoint_auth_method required Fixed string value: "private_key_jwt"
scope required String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Note for client apps that also support the SMART App Launch framework: apps requesting the "client_credentials" grant type SHOULD request system scopes; apps requesting the "authorization_code" grant type SHOULD request user or patient scopes.

The unique client URI used for the iss claim SHALL match the uriName entry in the Subject Alternative Name extension of the client app operator’s X.509 certificate, and SHALL uniquely identify a single client app operator and application over time. The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the aud claim SHALL list the URL of the OAuth Server’s registration endpoint, and the lifetime of the software statement (exp minus iat) SHALL be 5 minutes.

  1. This guide does not currently constrain the URI scheme used to identify clients in the iss claim of the Authentication Token. The https scheme is used to identify FHIR servers, and can generally also be used for clients. However, other URI schemes can be used by communities where client app operators are not well represented by unique URLs. Communities supporting emerging concepts such as decentralized identifiers to represent client app operators may also consider using the did scheme for issuers of UDAP assertions.

Example

Client Credentials

Example software statement, prior to Base64URL encoding and signature, for a B2B app that is requesting the use of the client credentials grant type (non-normative, the “.” between the header and claims objects is a convenience notation only):

{
  "alg": "RS256",
  "x5c": ["MIEF.....remainder omitted for brevity"]
}.{
  "iss": "http://example.com/my-b2b-app",
  "sub": "http://example.com/my-b2b-app",
  "aud": "https://oauth.example.net/register",
  "exp": 1597186041,
  "iat": 1597186341,
  "jti": "random-value-109a3bd72"
  "client_name": "Acme B2B App",
  "contacts": ["mailto:b2b-operations@example.com"],
  "grant_types": ["client_credentials"],
  "token_endpoint_auth_method": "private_key_jwt",
  "scope": "system/Patient.read system/Procedure.read"
}

Authorization Code

Example software statement, prior to Base64URL encoding and signature, for a B2B app that is requesting the use of the client credentials grant type (non-normative, the “.” between the header and claims objects is a convenience notation only):

{
  "alg": "RS256",
  "x5c": ["MIEF.....remainder omitted for brevity"]
}.{
  "iss": "http://example.com/my-user-b2b-app",
  "sub": "http://example.com/my-user-b2b-app",
  "aud": "https://oauth.example.net/register",
  "exp": 1597186054,
  "iat": 1597186354,
  "jti": "random-value-f83f37a29"
  "client_name": "Acme B2B User App",
  "redirect_uris": ["https://b2b-app.example.com/redirect"],
  "contacts": ["mailto:b2b-operations@example.com"],
  "logo_uri": "https://b2b-app.example.com/B2BApp.png",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "token_endpoint_auth_method": "private_key_jwt",
  "scope": "user/Patient.read user/Procedure.read"
}

Request Body

The registration request for use of either grant type is submitted by the client to the Authorization Server’s registration endpoint.

POST /register HTTP/1.1
Host: oauth.example.net
Content-Type: application/json

{
   "software_statement": "...the signed software statement JWT...",
   "certifications": ["...a signed certification JWT..."]
   "udap": "1"
}

The Authorization Server SHALL validate the registration request as per Section 4 of UDAP Dynamic Client Registration. This includes validation of the JWT payload and signature, validation of the X.509 certificate chain, and validation of the requested application registration parameters. If a new registration is successful, the Authorization Server SHALL return a registration response with a 201 Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration, including the unique client_id assigned by the Authorization Server to that client app. If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per Section 5.2 of UDAP Dynamic Client Registration.

Inclusion of Certifications and Endorsements

Authorization Servers MAY support the inclusion of certifications and endorsements by client application operators using the certifications framework outlined in UDAP Certifications and Endorsements for Client Applications. Authorization Servers SHALL ignore unsupported or unrecognized certifications.

Authorization Servers MAY require registration requests to include one or more certifications. If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the udap_certifications_required element of its UDAP metadata.

Modifying and Cancelling Registrations

The client URI in the Subject Alternative Name of an X.509 certificate uniquely identifies a single application and its operator over time. Thus, a previously registered client application MAY request a modification of its previous registration with an Authorization Server by submitting another registration request to the same Authorization Server’s registration endpoint using a certificate with a Subject Alternative Name client URI entry matching the original registration request.

If an Authorization Server receives a valid registration request with a software statement containing the same iss value as an earlier software statement but with a different set of claims or claim values, or with a different (possibly empty) set of optional certifications and endorsements, the server SHALL treat this as a request to modify the registration parameters for the client application by replacing the information from the previous registration request with the information included in the new request. For example, an Application operator could use this mechanism to update a redirection URI or to remove or update a certification. If the registration modification request is accepted, the Authorization Server SHOULD return the same client_id in the registration response as for the previous registration. If it returns a different client_id, it SHALL cancel the registration for the previous client_id.

If an Authorization Server receives a valid registration request with a software statement that contains an empty grant_types array from a previously registered application, the server SHOULD interpret this as a request to cancel the previous registration. A client application SHALL interpret a registration response that contains an empty grant_types array as a confirmation that the registration for the client_id listed in the response has been cancelled by the Authorization Server.

If the Authorization Server returns the same client_id in the registration response for a modification request, it SHOULD also return a 200 OK HTTP response code. If the Authorization Server returns a new client_id in the registration response, the client application SHALL use only the new client_id in subsequent transactions with the Authorization Server.