<div dir="ltr">For our first, agenda item today, an example of conversation around FHIR. See Cerner response below.<div><br></div><div>Adrian<br><div><br><div class="gmail_quote"><span style="font-size:large;font-weight:bold">Forwarded conversation</span><br>Subject: <b class="gmail_sendername">SMART on FHIR security concerns.</b><br>------------------------<br><br><span class="gmail_quote"><font color="#888">From: <b class="gmail_sendername">Asad Fareed</b> <span dir="ltr"><<a href="mailto:m.asad.fareed@gmail.com">m.asad.fareed@gmail.com</a>></span><br>Date: Mon, Nov 6, 2017 at 5:29 AM<br>To: Cerner FHIR Developers <<a href="mailto:cerner-fhir-developers@googlegroups.com">cerner-fhir-developers@googlegroups.com</a>><br></font><br></span><br><div dir="ltr">Hello team,<div><br></div><div>Currently I am implementing smart on fhir application by following this tutorial <a href="http://engineering.cerner.com/smart-on-fhir-tutorial" target="_blank">http://engineering.<wbr>cerner.com/smart-on-fhir-<wbr>tutorial</a>.</div><div><br></div><div>We have some security concerns regarding the flow. In the tutorial while registering the app two client URI are given that are /cerner/launch.html and /cerner/index.html, launch.html contains the client id.</div><div><br></div><div>1- What if other person gets access to the client ID.</div><div><br></div><div>2- By fetching data from client app any one can see the fetched data, to resolve this in the redirect URI I passed my server url instead of /index,html and try to launch the app but I am getting "The requested redirect URI does not match the one registered for".</div><div><br></div><div>3- can we pass server urls while registering the app in the launch URI and redirect URI.</div><div><br></div><div>Thanks,</div><div>Muhammad Asad.</div></div><span class="HOEnZb"><font color="#888888">
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:cerner-fhir-developers+unsubscribe@googlegroups.com" target="_blank">cerner-fhir-developers+<wbr>unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a href="mailto:cerner-fhir-developers@googlegroups.com" target="_blank">cerner-fhir-developers@<wbr>googlegroups.com</a>.<br>
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/cerner-fhir-developers/85ee2050-8728-48d7-89ef-6fe2e4a3cd80%40googlegroups.com?utm_medium=email&utm_source=footer" target="_blank">https://groups.google.com/d/<wbr>msgid/cerner-fhir-developers/<wbr>85ee2050-8728-48d7-89ef-<wbr>6fe2e4a3cd80%40googlegroups.<wbr>com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br>
</font></span><br>----------<br><span class="gmail_quote"><font color="#888">From: <b class="gmail_sendername">Kol Kheang (Cerner)</b> <span dir="ltr"><<a href="mailto:kol.kheang@gmail.com">kol.kheang@gmail.com</a>></span><br>Date: Mon, Nov 6, 2017 at 12:47 PM<br>To: Cerner FHIR Developers <<a href="mailto:cerner-fhir-developers@googlegroups.com">cerner-fhir-developers@googlegroups.com</a>><br></font><br></span><br><div>Hi Muhammad,</div><span class=""><div><br></div><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Currently I am implementing smart on fhir application by following this tutorial <a href="http://engineering.cerner.com/smart-on-fhir-tutorial" rel="nofollow" target="_blank">http://engineering.ce<wbr>rner.com/smart-on-fhir-tutoria<wbr>l</a>.</div><div><br></div><div>We have some security concerns regarding the flow. In the tutorial while registering the app two client URI are given that are /cerner/launch.html and /cerner/index.html, launch.html contains the client id.</div><div><br></div><div>1- What if other person gets access to the client ID.</div><div><br></div></div></blockquote></span><div>SMART on FHIR offers "public" and "confidential" <a href="http://docs.smarthealthit.org/authorization/" target="_blank">app profile</a> types. This tutorial app is a client-side HTML and JavaScript application. It's using the public app profile because it cannot keep the secret. If someone knows the client id of your application, there is no harm to your application because you've already registered the "redirect_uri" for this client id. The redirect_uri is checked by the authorization server and must match exactly for a successful launch.</div><span class=""><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><div>2- By fetching data from client app any one can see the fetched data, to resolve this in the redirect URI I passed my server url instead of /index,html and try to launch the app but I am getting "The requested redirect URI does not match the one registered for".</div><div><br></div></div></blockquote></span><div>In order to see the FHIR data, the app must have been launched successfully. This means that the user must have signed in successfully. Due to the fact that this tutorial app is a client side app, yes, anyone that is logged in can see the FHIR data.</div><div>The error that you've got is due to a mismatched in redirect_uri that I mentioned above. The application cannot pass a different redirect_uri than the one that was registered for the client id for security reasons. </div><div><br></div><div>What you're looking for is the confidential client profile. See this section on our <a href="http://fhir.cerner.com/authorization/#registration" target="_blank">Authorization doc</a> to learn more. Note that confidential client is NOT supported by Cerner's implementation of SMART on FHIR in production yet.</div><span class=""><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><div>3- can we pass server urls while registering the app in the launch URI and redirect URI.</div><div><br></div></div></blockquote></span><div>You can register your launch and redirect URIs for your application. I don't understand what you want to do here when you say "pass server urls while registering". Can you elaborate on this? </div><div><br></div><div><br></div><div>Regardless of which method you choose, both methods use OAuth2 for authorization, OpenID Connect for authentication and are considered secure.</div><span class="">
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "Cerner FHIR Developers" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:cerner-fhir-developers+unsubscribe@googlegroups.com" target="_blank">cerner-fhir-developers+<wbr>unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a href="mailto:cerner-fhir-developers@googlegroups.com" target="_blank">cerner-fhir-developers@<wbr>googlegroups.com</a>.<br></span>
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/cerner-fhir-developers/104bb99d-0e50-47a5-82cf-eac2693c96a4%40googlegroups.com?utm_medium=email&utm_source=footer" target="_blank">https://groups.google.com/d/<wbr>msgid/cerner-fhir-developers/<wbr>104bb99d-0e50-47a5-82cf-<wbr>eac2693c96a4%40googlegroups.<wbr>com</a>.<div class="HOEnZb"></div><br></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span></div><div dir="ltr"><span style="color:rgb(31,73,125);font-family:Arial,sans-serif;font-size:10pt">DONATE: </span><span style="font-family:Arial,sans-serif;font-size:10pt;color:blue"><a href="https://patientprivacyrights.org/donate-3/" style="color:rgb(17,85,204)" target="_blank">https://patientprivacyrights.org/donate-3/</a></span></div></div></div></div></div></div></div></div></div>
</div></div></div>