Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Required parameter to token request is missing code_verifier parameter using version 2.5.3 #189

Open
datasmithtechgrp opened this issue Aug 15, 2024 · 2 comments
Open

Required parameter to token request is missing code_verifier parameter using version 2.5.3 #189

datasmithtechgrp opened this issue Aug 15, 2024 · 2 comments

Comments

@datasmithtechgrp
Copy link

Describe the bug
According to https://build.fhir.org/ig/HL7/smart-app-launch/app-launch.html#obtain-access-token, following parameter is required

code_verifier required This parameter is used to verify against the code_challenge parameter previously provided in the authorize request.

it was not present in token request, and request was rejected as BAD Request

To Reproduce

Followed standard FHIR authorization workflow to connect to our deployed FHIR server.

Steps to reproduce the behavior. A few things to consider including:
server is closed

HIR:oauth2 key: Jw***
common.js:113 FHIR:oauth2 Removed code parameter from the url. +2s
common.js:113 FHIR:oauth2 Removed state parameter from the url. +0ms
common.js:113 FHIR:oauth2 Preparing to exchange the code for access token... +0ms
common.js:113 FHIR:oauth2 Public client detected; adding state.clientId to the POST body +1ms
common.js:113 FHIR:oauth2 Token request options:

body
:
"code=b7d**&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fredirect&client_id=patient-summary-ap

Expected behavior
As per specifications, code_verifier parameter should have been present in request

Screenshots
Screenshot 2024-08-15 at 12 40 04
Screenshot 2024-08-15 at 09 04 27
Screenshot 2024-08-15 at 09 03 12

Client-side (please complete the following information):

  • OS: [e.g. Windows, OS, iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]
  • Front-end Framework(s) [e.g. React, jQuery]

Server-side (please complete the following information):

  • Node version: [e.g. v21.6.0]
  • OS: [e.g. OS, Unix]
  • Framework [e.g. Express, HAPI, none]
  • Framework Version [e.g. 22]

Additional context
Add any other context about the problem here. If you have links to any deployed tools or webpages, they would be good to include.
Screenshot 2024-08-15 at 12 40 04
Screenshot 2024-08-15 at 09 04 27
Screenshot 2024-08-15 at 09 03 12
@datasmithtechgrp
Copy link
Author

Mac OS on client using Chrome
FHIR server is Smile CDR deployed on AWS

@vlad-ignatov
Copy link
Collaborator

Unfortunately the IG only describes the latest and greatest version that implementers should aim at.
In this case we cannot "require" the use of PKCE-related parameters before we know that we are dealing with a server that supports PKCE. In fact, we want the client to explicitly declare that it wants to use it. That said, what you can try is:

  1. Add pkceMode: "required" to your authorize call
  2. Make sure your server declares S256 in it's code_challenge_methods_supported (https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html)
  3. Then, if your server supports PKCE you should receive a code_verifier after successful authorize and it should be re-sent in the token request

Let me know if that helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlad-ignatov @datasmithtechgrp