search

smart-on-fhir / client-js

JavaScript client for FHIR
Other
288 stars 209 forks source link

Required parameter to token request is missing code_verifier parameter using version 2.5.3 #189

Open datasmithtechgrp opened 4 weeks ago

datasmithtechgrp commented 4 weeks ago

Describe the bug According to https://build.fhir.org/ig/HL7/smart-app-launch/app-launch.html#obtain-access-token, following parameter is required

code_verifier required This parameter is used to verify against the code_challenge parameter previously provided in the authorize request.

it was not present in token request, and request was rejected as BAD Request

To Reproduce

Followed standard FHIR authorization workflow to connect to our deployed FHIR server.

Steps to reproduce the behavior. A few things to consider including: server is closed

HIR:oauth2 key: Jw*** common.js:113 FHIR:oauth2 Removed code parameter from the url. +2s common.js:113 FHIR:oauth2 Removed state parameter from the url. +0ms common.js:113 FHIR:oauth2 Preparing to exchange the code for access token... +0ms common.js:113 FHIR:oauth2 Public client detected; adding state.clientId to the POST body +1ms common.js:113 FHIR:oauth2 Token request options:

body : "code=b7d**&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fredirect&client_id=patient-summary-ap

Expected behavior As per specifications, code_verifier parameter should have been present in request

Screenshots

Screenshot 2024-08-15 at 12 40 04 Screenshot 2024-08-15 at 09 04 27 Screenshot 2024-08-15 at 09 03 12

Client-side (please complete the following information):

Server-side (please complete the following information):

Additional context Add any other context about the problem here. If you have links to any deployed tools or webpages, they would be good to include.

Screenshot 2024-08-15 at 12 40 04 Screenshot 2024-08-15 at 09 04 27 Screenshot 2024-08-15 at 09 03 12
datasmithtechgrp commented 4 weeks ago

Mac OS on client using Chrome FHIR server is Smile CDR deployed on AWS

vlad-ignatov commented 2 weeks ago

Unfortunately the IG only describes the latest and greatest version that implementers should aim at. In this case we cannot "require" the use of PKCE-related parameters before we know that we are dealing with a server that supports PKCE. In fact, we want the client to explicitly declare that it wants to use it. That said, what you can try is:

  1. Add pkceMode: "required" to your authorize call
  2. Make sure your server declares S256 in it's code_challenge_methods_supported (https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html)
  3. Then, if your server supports PKCE you should receive a code_verifier after successful authorize and it should be re-sent in the token request

Let me know if that helps.