[Openid-specs-heart] Fwd: SMART on FHIR security concerns.
Adrian Gropper
agropper at healthurl.com
Mon Nov 6 20:59:55 UTC 2017
For our first, agenda item today, an example of conversation around FHIR.
See Cerner response below.
Adrian
Forwarded conversation
Subject: SMART on FHIR security concerns.
------------------------
From: Asad Fareed <m.asad.fareed at gmail.com>
Date: Mon, Nov 6, 2017 at 5:29 AM
To: Cerner FHIR Developers <cerner-fhir-developers at googlegroups.com>
Hello team,
Currently I am implementing smart on fhir application by following this
tutorial http://engineering.cerner.com/smart-on-fhir-tutorial.
We have some security concerns regarding the flow. In the tutorial while
registering the app two client URI are given that are /cerner/launch.html
and /cerner/index.html, launch.html contains the client id.
1- What if other person gets access to the client ID.
2- By fetching data from client app any one can see the fetched data, to
resolve this in the redirect URI I passed my server url instead of
/index,html and try to launch the app but I am getting "The requested
redirect URI does not match the one registered for".
3- can we pass server urls while registering the app in the launch URI and
redirect URI.
Thanks,
Muhammad Asad.
--
You received this message because you are subscribed to the Google Groups
"Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cerner-fhir-developers+unsubscribe at googlegroups.com.
To post to this group, send email to cerner-fhir-developers at googlegroups.com
.
To view this discussion on the web visit https://groups.google.com/d/
msgid/cerner-fhir-developers/85ee2050-8728-48d7-89ef-
6fe2e4a3cd80%40googlegroups.com
<https://groups.google.com/d/msgid/cerner-fhir-developers/85ee2050-8728-48d7-89ef-6fe2e4a3cd80%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
----------
From: Kol Kheang (Cerner) <kol.kheang at gmail.com>
Date: Mon, Nov 6, 2017 at 12:47 PM
To: Cerner FHIR Developers <cerner-fhir-developers at googlegroups.com>
Hi Muhammad,
Currently I am implementing smart on fhir application by following this
> tutorial http://engineering.cerner.com/smart-on-fhir-tutorial.
>
> We have some security concerns regarding the flow. In the tutorial while
> registering the app two client URI are given that are /cerner/launch.html
> and /cerner/index.html, launch.html contains the client id.
>
> 1- What if other person gets access to the client ID.
>
> SMART on FHIR offers "public" and "confidential" app profile
<http://docs.smarthealthit.org/authorization/> types. This tutorial app is
a client-side HTML and JavaScript application. It's using the public app
profile because it cannot keep the secret. If someone knows the client id
of your application, there is no harm to your application because you've
already registered the "redirect_uri" for this client id. The redirect_uri
is checked by the authorization server and must match exactly for a
successful launch.
> 2- By fetching data from client app any one can see the fetched data, to
> resolve this in the redirect URI I passed my server url instead of
> /index,html and try to launch the app but I am getting "The requested
> redirect URI does not match the one registered for".
>
> In order to see the FHIR data, the app must have been launched
successfully. This means that the user must have signed in successfully.
Due to the fact that this tutorial app is a client side app, yes, anyone
that is logged in can see the FHIR data.
The error that you've got is due to a mismatched in redirect_uri that I
mentioned above. The application cannot pass a different redirect_uri than
the one that was registered for the client id for security reasons.
What you're looking for is the confidential client profile. See this
section on our Authorization doc
<http://fhir.cerner.com/authorization/#registration> to learn more. Note
that confidential client is NOT supported by Cerner's implementation of
SMART on FHIR in production yet.
> 3- can we pass server urls while registering the app in the launch URI and
> redirect URI.
>
> You can register your launch and redirect URIs for your application. I
don't understand what you want to do here when you say "pass server urls
while registering". Can you elaborate on this?
Regardless of which method you choose, both methods use OAuth2 for
authorization, OpenID Connect for authentication and are considered secure.
--
You received this message because you are subscribed to the Google Groups
"Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cerner-fhir-developers+unsubscribe at googlegroups.com.
To post to this group, send email to cerner-fhir-developers at googlegroups.com
.
To view this discussion on the web visit https://groups.google.com/d/
msgid/cerner-fhir-developers/104bb99d-0e50-47a5-82cf-
eac2693c96a4%40googlegroups.com
<https://groups.google.com/d/msgid/cerner-fhir-developers/104bb99d-0e50-47a5-82cf-eac2693c96a4%40googlegroups.com?utm_medium=email&utm_source=footer>
.
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: https://patientprivacyrights.org/donate-3/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20171106/6b66234d/attachment.html>
More information about the Openid-specs-heart
mailing list