If the OpenID Connect protocol is legitimately being used for authentication, the steps currently listed for validating an ID token should instead refer individuals to section 3.1.3.7 of the OpenID specification for validation steps. There are certain key elements, such as validating the audience that are necessary.
In addition, step 6 of section 3.1.3.7 states:
"If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature."
Should we make this explicit in this profile to reduce the overhead of having to support the .well_known endpoint along with hosting signature keys? There's little additional security afforded here, unless consumers want to somehow utilize such id_tokens within their own internal security implementation.
Finally, the use of OpenID Connect seems to transitively place requirements on the authorization server to support the following parameters in the authentication request. This should likely be explicitly stated in the documentation:
- nonce
- prompt (minimally, support for prompt=none and response error codes indicating if the user was not previously authenticated.)
- max-age
Other optional functionality would also need to be indicated that it is not supported per the OpenID Connect Discovery specification. An example is "Passing a Request Object by Value" as described by section 6.1 in the Connect Core spec.
Is the intent here to have EMRs act as full-blown authentication servers (and/or as proxies to the authentication system that they use internally)? It would seem that passing the FHIR endpoint for the user could be easily achieved as an additional claim. I haven't seen any Argonaut use case that calls out utilizing the authorization server solely as an authentication system.