You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It feels like a mismatch to use SMART on FHIR for launching: TODO: section on KT2.0
Access token is misleading, as applications use their own authorization and authentication. Use NOOP token for access_token. 2nd option is to give an application access token. Last option risky if send to browser.
Second issue is the authorization step that does not add any meanings a) as the application is authenticated by the other SMART authorization steps and b) the user is already authenticated.
Mode mismatch because of the first point, what does SMART HTI on FHIR add?
Launch is a GET request, length of query param is a risk (1024 chars limit).
Information exposure in history and referrer (OWASP) issue.
Launch token needs to be unique: HTI has a JTI, solved.
Scopes in SMART on FHIR should be ONLY "launch openid"
The text was updated successfully, but these errors were encountered:
It feels like a mismatch to use SMART on FHIR for launching: TODO: section on KT2.0
Launch is a GET request, length of query param is a risk (1024 chars limit).
Information exposure in history and referrer (OWASP) issue.
Launch token needs to be unique: HTI has a JTI, solved.
Scopes in SMART on FHIR should be ONLY "launch openid"
The text was updated successfully, but these errors were encountered: