Ballot#154 Joshua Mandel, Boston Children's Hospital | @https://github.com/smart-on-fhir/smart-on-fhir.github.io/issues/146 | From: client-side app... #151
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ballot Weight
NEG
Where
:: http://www.hl7.org/fhir/smart-app-launch/
What
Joshua Mandel, Boston Children's Hospital
@smart-on-fhir/smart-on-fhir.github.io#146
From: client-side apps (for example, HTML5/JS browser-based apps, iOS mobile apps, or Windows desktop apps) can provide adequate security � but they can�t �keep a secret� in the OAuth2 sense. That is to say, any �secret� key, code, or string that�s embedded in the app can potentially be extracted by an end-user or attacker. So security for these apps can�t depend on secrets embedded at install-time.
Josh's Triage Notes
Theme: "Where confidential apps can run"
Disposition
Accept changes proposed in https://github.com/HL7/smart-app-launch/pull/1/files?short_path=d680e8a#diff-d680e8a854a7cbad6d490c445cba2eba .
This provides references to Public vs Confidentail client definitions in the OAuth 2.0 spec and clarifies that our assessment is advice ("should") rather than a strict requirement ("shall").
Vote Details
Pro-Con-Abstain: 10-0-1
Date: 2017-09-14
The text was updated successfully, but these errors were encountered: