You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 23, 2024. It is now read-only.
I just realized this is a behavior the S4S Test Suite never checked for -- but it's important for API providers to get right to prevent certain attacks (i.e., a malicious server whose /metadata claims association with a legitimate authorization server).
The text was updated successfully, but these errors were encountered:
Is the behavior of the authorization server well-specified in standards in this error case? By my reading of the Error Response portion of OAuth 2.0 spec, it seems that a compliant behavior would be to redirect the client browser to the redirect URI (since it isn't an issue with the redirect URI or client id), with an error param that matches one of the legal values, and a state param.
Since the aud param was added by the SMART App Launch Framework spec from what I can tell (not seeing it in OAuth 2.0 spec), it isn't clear what that error code must be though. Looks like the SMART App Launcher passes error=bad_audience&error_description=Bad%20audience%20value, though that error value isn't technically valid according to the OAuth 2.0 spec. It is also missing the state parameter, which is problematic for Inferno as a client because that is how we reattach users to a running test session.
I think your assessment is correct and that the SMART launcher needs some work to ensure that it is compliant (and as far as the launcher goes, there are some intentionally strange behaviors, like we don't validate client secrets for example).
The key issue is to make sure that a server does not issue a token if a correct aud wasn't supplied.
I just realized this is a behavior the S4S Test Suite never checked for -- but it's important for API providers to get right to prevent certain attacks (i.e., a malicious server whose
/metadata
claims association with a legitimate authorization server).The text was updated successfully, but these errors were encountered: