search

IHE / ITI.IUA

ITI Domain - Internet User Authorization (IUA) profile
Creative Commons Attribution 4.0 International
2 stars 4 forks source link

3.72.5.1 Security Audit Considerations - aud #81

Open JohnMoehrke opened 2 years ago

JohnMoehrke commented 2 years ago

In section 3.72.5.1 Security Audit Considerations

the following is stated

alias""user"@"issuer""

where:

alias shall match the JWT token's "aud" parameter user shall match the JWT token's "sub" parameter issuer shall match the JWT token's "iss" parameter

I am unclear why the "aud" parameter is included. And what would happen if the aud is multiple servers?

Note that for SAML the "alias" was the property from the SAML assertion that contained the human readable name of the user. That is nothing like the OAuth "aud" parameter.

Recommend that for similar "alias" in IUA OAuth, the ihe_iua:subject_name be used as the alias.

Further note that the method of making a string is not as useful when using FHIR AuditEvent.

JohnMoehrke commented 11 months ago

if we revise IUA, we should evaluate if IUA should simply refer to BALP profiling of AuditEvent for OAuth.