PKCE support for public SMART client authorization code flow #467
Comments
|
I think this is worth adding. We'd have to think a little bit about how it aligns with the SMART Spec from a conformance perspective though. I'm pretty sure that an authorization server that only supports the PKCE method for public clients is not conformant to the |
|
Thanks @arscan for the reply, this is a good question, I feel like PKCE is a blur area for |
|
Found this thread a year and a half later, looks to me like PKCE is now required. Is there any chance support for PKCE has been added already or that this enhancement request will get some more attention? "All SMART apps SHALL support Proof Key for Code Exchange (PKCE). PKCE is a standardized, cross-platform technique for clients to mitigate the threat of authorization code interception or injection. PKCE is described in IETF RFC 7636. SMART servers SHALL support the S256 code_challenge_method and SHALL NOT support the plain method." http://www.hl7.org/fhir/smart-app-launch/app-launch.html#considerations-for-pkce-support |
Is your feature request related to a problem? Please describe it.
Our OAuth2 Vender only supports public application Authorization Code flow with PKCE support, which could help mitigate the threat of having the authorization code intercepted.
So in order for us to test SMART on FHIR EHR Launch with Public Client, would love to have PKCE option from inferno
Describe the solution you'd like to see implemented
We created a similar issue for the smart-on-fhir/client-js. Which included a forked version of the client-js that we currently use internally.
The implementation of the PKCE flow is standard based on the spec
Describe alternatives you've considered
We currently can only test EHR Launch using a Confidential Client
The text was updated successfully, but these errors were encountered: