This page is part of the Security for Scalable Registration, Authentication, and Authorization (v1.0.0: STU 1) based on FHIR R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions
The requirements in this section are applicable to both consumer-facing and B2B apps and the servers that support them.
Before FHIR data requests can be made, Client application operators SHALL register each of their applications with the Authorization Servers identified by the FHIR servers with which they wish to exchange data. Client applications SHALL use the client_id assigned by an Authorization Server in subsequent authorization and token requests to that server.
Authorization Servers SHALL support dynamic registration as specified in the UDAP Dynamic Client Registration profile with the additional options and constraints defined in this guide. Confidential clients that can secure a secret MAY use this dynamic client registration protocol as discussed further below to obtain a client_id
. Other client types SHOULD follow the manual registration processes for each Authorization Server. Future versions of this guide may add support for dynamic client registration by public clients which cannot protect a private key.
The dynamic registration workflow is summarized in the following diagram:
To register dynamically, the client application first constructs a software statement as per section 2 of UDAP Dynamic Client Registration.
The software statement SHALL contain the required header elements specified in Section 1.2.3 of this guide and the JWT claims listed in the table below. The software statement SHALL be signed by the client application operator using the signature algorithm identified in the alg
header of the software statement and with the private key that corresponds to the public key listed in the client’s X.509 certificate identified in the x5c
header of the software statement.
Software Statement JWT Claims | ||
---|---|---|
iss |
required |
Issuer of the JWT -- unique identifying client URI. This SHALL match the value of a uniformResourceIdentifier entry in the Subject Alternative Name extension of the client's certificate included in the x5c JWT header
|
sub |
required |
Same as iss . In typical use, the client application will not yet have a client_id from the Authorization Server
|
aud |
required | The Authorization Server's "registration URL" (the same URL to which the registration request will be posted) |
exp |
required |
Expiration time integer for this software statement, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC). The exp time SHALL be no more than 5 minutes after the value of the iat claim.
|
iat |
required | Issued time integer for this software statement, expressed in seconds since the "Epoch" |
jti |
required |
A nonce string value that uniquely identifies this software statement. This value SHALL NOT be reused by the client app in another software statement or authentication JWT before the time specified in the exp claim has passed
|
client_name |
required | A string containing the human readable name of the client application |
redirect_uris |
conditional |
An array of one or more redirection URIs used by the client application. This claim SHALL be present if grant_types includes "authorization_code" and this claim SHALL be absent otherwise. Each URI SHALL use the https scheme.
|
contacts |
required |
An array of URI strings indicating how the data holder can contact the app operator regarding the application. The array SHALL contain at least one valid email address using the mailto scheme, e.g.["mailto:operations@example.com"]
|
logo_uri |
conditional |
A URL string referencing an image associated with the client application, i.e. a logo. If grant_types includes "authorization_code" , client applications SHALL include this field, and the Authorization Server MAY display this logo to the user during the authorization process. The URL SHALL use the https scheme and reference a PNG, JPG, or GIF image file, e.g. "https://myapp.example.com/MyApp.png"
|
grant_types |
required |
Array of strings, each representing a requested grant type, from the following list: "authorization_code" , "refresh_token" , "client_credentials" . The array SHALL include either "authorization_code" or "client_credentials" , but not both. The value "refresh_token" SHALL NOT be present in the array unless "authorization_code" is also present.
|
response_types |
conditional |
Array of strings. If grant_types contains "authorization_code" , then this element SHALL have a fixed value of ["code"] , and SHALL be omitted otherwise
|
token_endpoint_auth_method |
required |
Fixed string value: "private_key_jwt"
|
scope |
required |
String containing a space delimited list of scopes requested by the client application for use in subsequent requests. The Authorization Server MAY consider this list when deciding the scopes that it will allow the application to subsequently request. Note for client apps that also support the SMART App Launch framework: apps requesting the "client_credentials" grant type SHOULD request system scopes; apps requesting the "authorization_code" grant type SHOULD request user or patient scopes.
|
The unique client URI used for the iss
claim SHALL match the uriName entry in the Subject Alternative Name extension of the client app operator’s X.509 certificate, and SHALL uniquely identify a single client app operator and application over time. The software statement is intended for one-time use with a single OAuth 2.0 server. As such, the aud
claim SHALL list the URL of the OAuth Server’s registration endpoint, and the lifetime of the software statement (exp
minus iat
) SHALL be 5 minutes.
iss
claim of the Authentication Token. The https
scheme is used to identify FHIR servers, and can generally also be used for clients. However, other URI schemes can be used by communities where client app operators are not well represented by unique URLs. Communities supporting emerging concepts such as decentralized identifiers to represent client app operators may also consider using the did
scheme for issuers of UDAP assertions.Example software statement, prior to Base64URL encoding and signature, for a B2B app that is requesting the use of the client credentials grant type (non-normative, the “.” between the header and claims objects is a convenience notation only):
{
"alg": "RS256",
"x5c": ["MIEF.....remainder omitted for brevity"]
}.{
"iss": "http://example.com/my-b2b-app",
"sub": "http://example.com/my-b2b-app",
"aud": "https://oauth.example.net/register",
"exp": 1597186041,
"iat": 1597186341,
"jti": "random-value-109a3bd72"
"client_name": "Acme B2B App",
"contacts": ["mailto:b2b-operations@example.com"],
"grant_types": ["client_credentials"],
"token_endpoint_auth_method": "private_key_jwt",
"scope": "system/Patient.read system/Procedure.read"
}
Example software statement, prior to Base64URL encoding and signature, for a B2B app that is requesting the use of the client credentials grant type (non-normative, the “.” between the header and claims objects is a convenience notation only):
{
"alg": "RS256",
"x5c": ["MIEF.....remainder omitted for brevity"]
}.{
"iss": "http://example.com/my-user-b2b-app",
"sub": "http://example.com/my-user-b2b-app",
"aud": "https://oauth.example.net/register",
"exp": 1597186054,
"iat": 1597186354,
"jti": "random-value-f83f37a29"
"client_name": "Acme B2B User App",
"redirect_uris": ["https://b2b-app.example.com/redirect"],
"contacts": ["mailto:b2b-operations@example.com"],
"logo_uri": "https://b2b-app.example.com/B2BApp.png",
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "private_key_jwt",
"scope": "user/Patient.read user/Procedure.read"
}
The registration request for use of either grant type is submitted by the client to the Authorization Server’s registration endpoint.
POST /register HTTP/1.1
Host: oauth.example.net
Content-Type: application/json
{
"software_statement": "...the signed software statement JWT...",
"certifications": ["...a signed certification JWT..."]
"udap": "1"
}
The Authorization Server SHALL validate the registration request as per Section 4 of UDAP Dynamic Client Registration. This includes validation of the JWT payload and signature, validation of the X.509 certificate chain, and validation of the requested application registration parameters. If a new registration is successful, the Authorization Server SHALL return a registration response with a 201 Created
HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration, including the unique client_id
assigned by the Authorization Server to that client app. If a new registration is not successful, e.g. it is rejected by the server for any reason, the Authorization Server SHALL return an error response as per Section 5.2 of UDAP Dynamic Client Registration.
Authorization Servers MAY support the inclusion of certifications and endorsements by client application operators using the certifications framework outlined in UDAP Certifications and Endorsements for Client Applications. Authorization Servers SHALL ignore unsupported or unrecognized certifications.
Authorization Servers MAY require registration requests to include one or more certifications. If an Authorization Server requires the inclusion of a certain certification, then the Authorization Server SHALL communicate this by including the corresponding certification URI in the udap_certifications_required
element of its UDAP metadata.
The client URI in the Subject Alternative Name of an X.509 certificate uniquely identifies a single application and its operator over time. Thus, a previously registered client application MAY request a modification of its previous registration with an Authorization Server by submitting another registration request to the same Authorization Server’s registration endpoint using a certificate with a Subject Alternative Name client URI entry matching the original registration request.
If an Authorization Server receives a valid registration request with a software statement containing the same iss
value as an earlier software statement but with a different set of claims or claim values, or with a different (possibly empty) set of optional certifications and endorsements, the server SHALL treat this as a request to modify the registration parameters for the client application by replacing the information from the previous registration request with the information included in the new request. For example, an Application operator could use this mechanism to update a redirection URI or to remove or update a certification. If the registration modification request is accepted, the Authorization Server SHOULD return the same client_id
in the registration response as for the previous registration. If it returns a different client_id
, it SHALL cancel the registration for the previous client_id
.
If an Authorization Server receives a valid registration request with a software statement that contains an empty grant_types
array from a previously registered application, the server SHOULD interpret this as a request to cancel the previous registration. A client application SHALL interpret a registration response that contains an empty grant_types
array as a confirmation that the registration for the client_id
listed in the response has been cancelled by the Authorization Server.
If the Authorization Server returns the same client_id
in the registration response for a modification request, it SHOULD also return a 200 OK
HTTP response code. If the Authorization Server returns a new client_id
in the registration response, the client application SHALL use only the new client_id
in subsequent transactions with the Authorization Server.