Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review from Joris #1

Open
rolandgroen opened this issue Sep 13, 2021 · 0 comments
Open

Review from Joris #1

rolandgroen opened this issue Sep 13, 2021 · 0 comments
Assignees

Comments

@rolandgroen
Copy link
Contributor

  • It feels like a mismatch to use SMART on FHIR for launching: TODO: section on KT2.0

    • Access token is misleading, as applications use their own authorization and authentication. Use NOOP token for access_token. 2nd option is to give an application access token. Last option risky if send to browser.
    • Second issue is the authorization step that does not add any meanings a) as the application is authenticated by the other SMART authorization steps and b) the user is already authenticated.
    • Mode mismatch because of the first point, what does SMART HTI on FHIR add?
  • Launch is a GET request, length of query param is a risk (1024 chars limit).

  • Information exposure in history and referrer (OWASP) issue.

  • Launch token needs to be unique: HTI has a JTI, solved.

  • Scopes in SMART on FHIR should be ONLY "launch openid"

@rolandgroen rolandgroen self-assigned this Sep 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant