Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FI-3161: ID Token #24

Merged
merged 5 commits into from
Nov 5, 2024
Merged

FI-3161: ID Token #24

merged 5 commits into from
Nov 5, 2024

Conversation

tstrass
Copy link
Contributor

@tstrass tstrass commented Oct 23, 2024
edited
Loading

Summary

  • Add support for openid and fhirUser scopes.
  • Return an ID Token in addition to access token. I followed this spec.

    • I chose to always return the ID token, regardless of whether the SUT requested the openid and fhirUser scopes. This is because it would add complexity to check which scopes they requested, and I didn't see any harm in always returning an ID Token.

      Update: I added consideration of OpenID scopes to avoid potentially misleading the tester: 221eaf1

    • This just hard codes in the Practitioner from the DTR bundle on the reference server

    • This doesn't mock any kind of identity provider

  • Expose a new JWKS endpoint, in case the client needs to verify the ID token signature to function.

Testing Guidance

  • Exercise the SMART App suite's authorization steps, including fetching the smart configuration, fetching the JWKS, make an authorize request, make a token request
  • Run against the SMART App Launch test kit

@tstrass tstrass requested a review from karlnaden October 23, 2024 22:33
@tstrass tstrass self-assigned this Oct 23, 2024
@tstrass
Copy link
Contributor Author

tstrass commented Oct 30, 2024

Pushed two commits to fix and improve various things with OpenID and verified with the SMART Launch test kit.

Ready for review again @karlnaden

@karlnaden
Copy link
Contributor

I need better instructions for how to run this using the postman collection. Specifically, the authorize and token requests I wasn't able to get to work.

karlnaden
karlnaden requested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@karlnaden karlnaden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comments

@tstrass
Copy link
Contributor Author

tstrass commented Nov 4, 2024
edited
Loading

I need better instructions for how to run this using the postman collection. Specifically, the authorize and token requests I wasn't able to get to work.

@karlnaden In what way were they not working? You should only need to set the base_url variable and then send the requests when the suite is in a wait. If you saw a 404 on the Authorize request(s), that's just because the response to Authorize is a redirect, and Postman attempts to follow the redirect. You can see the 302 if you look in the console.

@tstrass tstrass requested a review from karlnaden November 4, 2024 14:27
@tstrass tstrass merged commit 95f3574 into main Nov 5, 2024
3 checks passed
@tstrass tstrass deleted the fi-3161-id-token branch November 5, 2024 21:35
@rpassas rpassas mentioned this pull request Nov 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karlnaden karlnaden karlnaden approved these changes

Assignees

@tstrass tstrass

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tstrass @karlnaden