onc-healthit / onc-certification-g10-test-kit

ONC Certification (g)(10) Standardized API Tests
Apache License 2.0
34 stars 13 forks source link

9.4 Invalid AUD Test #438

Closed garyisaac closed 1 year ago

garyisaac commented 1 year ago

The Invalid AUD Test states that there is no expectation that the authorization service redirects the user back to Inferno with an error message (pasted below). We are trying to understand the implementation workflow for compliance verification since the SMART on FHIR does not have this use case.

The implementation we are looking at does the following:

_The Invalid AUD Sequence verifies that a SMART Launch Sequence, specifically the Standalone Launch Sequence, does not work in the case where the client sends an invalid FHIR server as the aud parameter during launch. This must fail to ensure that a genuine bearer token is not leaked to a counterfeit resource server.

This test is not included as part of a regular SMART Launch Sequence because it requires the browser of the user to be redirected to the authorization service, and there is no expectation that the authorization service redirects the user back to Inferno with an error message. The only requirement is that Inferno is not granted a code to exchange for a valid access token. Since this is a special case, it is tested independently in a separate sequence.

Note that this test will launch a new browser window. The user is required to 'Attest' in the Inferno user interface after the launch does not succeed, if the server does not return an error code._

Thank you! Gary

Jammjammjamm commented 1 year ago

This does seem like an issue, and we will investigate.

arscan commented 1 year ago

While the spec might be vague on this point, the expectation is that the authorization server knows what resource servers it can provide authorization services for, as described by Josh here: https://groups.google.com/g/smart-on-fhir/c/752doUYQcTc/m/sj1Rw907AAAJ

I'll close this based on that google groups response -- if others have a problem with this expectation it is probably is best addressed explicitly in the spec.