Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.72.5.1 Security Audit Considerations - aud #81

Open
JohnMoehrke opened this issue Nov 24, 2021 · 1 comment
Open

3.72.5.1 Security Audit Considerations - aud #81

JohnMoehrke opened this issue Nov 24, 2021 · 1 comment
Labels
enhancement New feature or request low priority

Comments

@JohnMoehrke
Copy link
Contributor

In section 3.72.5.1 Security Audit Considerations

the following is stated

alias"<"user"@"issuer">"

where:

alias shall match the JWT token's "aud" parameter
user shall match the JWT token's "sub" parameter
issuer shall match the JWT token's "iss" parameter

I am unclear why the "aud" parameter is included. And what would happen if the aud is multiple servers?

Note that for SAML the "alias" was the property from the SAML assertion that contained the human readable name of the user. That is nothing like the OAuth "aud" parameter.

Recommend that for similar "alias" in IUA OAuth, the ihe_iua:subject_name be used as the alias.

Further note that the method of making a string is not as useful when using FHIR AuditEvent.
@JohnMoehrke
Copy link
Contributor Author

if we revise IUA, we should evaluate if IUA should simply refer to BALP profiling of AuditEvent for OAuth.

@JohnMoehrke JohnMoehrke added enhancement New feature or request low priority labels Oct 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request low priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JohnMoehrke