client-js icon indicating copy to clipboard operation
client-js copied to clipboard

Published 20 hours ago verified publisher icon smart-on-fhir

Required parameter to token request is missing code_verifier parameter using version 2.5.3

Open datasmithtechgrp opened this issue 1 year ago • 3 comments

Describe the bug According to https://build.fhir.org/ig/HL7/smart-app-launch/app-launch.html#obtain-access-token, following parameter is required

code_verifier required This parameter is used to verify against the code_challenge parameter previously provided in the authorize request.

it was not present in token request, and request was rejected as BAD Request

To Reproduce

Followed standard FHIR authorization workflow to connect to our deployed FHIR server.

Steps to reproduce the behavior. A few things to consider including: server is closed

HIR:oauth2 key: Jw*** common.js:113 FHIR:oauth2 Removed code parameter from the url. +2s common.js:113 FHIR:oauth2 Removed state parameter from the url. +0ms common.js:113 FHIR:oauth2 Preparing to exchange the code for access token... +0ms common.js:113 FHIR:oauth2 Public client detected; adding state.clientId to the POST body +1ms common.js:113 FHIR:oauth2 Token request options:

body : "code=b7d**&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fredirect&client_id=patient-summary-ap

Expected behavior As per specifications, code_verifier parameter should have been present in request

Screenshots Screenshot 2024-08-15 at 12 40 04 Screenshot 2024-08-15 at 09 04 27 Screenshot 2024-08-15 at 09 03 12

Client-side (please complete the following information):

  • OS: [e.g. Windows, OS, iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]
  • Front-end Framework(s) [e.g. React, jQuery]

Server-side (please complete the following information):

  • Node version: [e.g. v21.6.0]
  • OS: [e.g. OS, Unix]
  • Framework [e.g. Express, HAPI, none]
  • Framework Version [e.g. 22]

Additional context Add any other context about the problem here. If you have links to any deployed tools or webpages, they would be good to include. Screenshot 2024-08-15 at 12 40 04 Screenshot 2024-08-15 at 09 04 27 Screenshot 2024-08-15 at 09 03 12

datasmithtechgrp avatar Aug 15 '24 17:08 datasmithtechgrp

Mac OS on client using Chrome FHIR server is Smile CDR deployed on AWS

datasmithtechgrp avatar Aug 15 '24 17:08 datasmithtechgrp

Unfortunately the IG only describes the latest and greatest version that implementers should aim at. In this case we cannot "require" the use of PKCE-related parameters before we know that we are dealing with a server that supports PKCE. In fact, we want the client to explicitly declare that it wants to use it. That said, what you can try is:

  1. Add pkceMode: "required" to your authorize call
  2. Make sure your server declares S256 in it's code_challenge_methods_supported (https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html)
  3. Then, if your server supports PKCE you should receive a code_verifier after successful authorize and it should be re-sent in the token request

Let me know if that helps.

vlad-ignatov avatar Aug 26 '24 19:08 vlad-ignatov

@vlad-ignatov - a third-party developer we (Oracle) works with may have encountered this same issue.

@datasmithtechgrp - can you confirm that your issue was as follows?

  • fhir-client sends code_challenge in authorization request
  • fhir-client doesn't send code verifier in token request

whitehatguy avatar Apr 24 '25 21:04 whitehatguy