Skip to content

Commit 7678ea7

Browse files
kpshekkpshek
authored
Add optional tenant JWT payload field (fixes #205) (#420)
Additionally, the example JWT has been improved to include the public and private keys used to both sign and verify the signature.
1 parent 43a6dda commit 7678ea7

File tree

1 file changed

+37
-4
lines changed

1 file changed

+37
-4
lines changed

docs/specification/1.0.md

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -502,6 +502,7 @@ aud | REQUIRED | *string* or *array of string* | The CDS Service endpoint that i
502502
exp | REQUIRED | *number* | Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC).
503503
iat | REQUIRED | *number* | The time at which this JWT was issued, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC).
504504
jti | REQUIRED | *string* | A nonce string value that uniquely identifies this authentication JWT (used to protect against replay attacks).
505+
tenant | OPTIONAL | *string* | An opaque string identifying the healthcare organization that is invoking the CDS Hooks request.
505506

506507
CDS Services SHOULD whitelist the `iss`, `jku` and `sub` fields to only the EHRs they trust.
507508

@@ -511,30 +512,62 @@ The EHR MUST make its public key, expressed as a JSON Web Key (JWK) in a JWK Set
511512

512513
The EHR MAY make its JWK Set available via a URL identified by the `jku` header field, as defined by [rfc7515 4.1.2](https://tools.ietf.org/html/rfc7515#section-4.1.2). If the `jku` header field is ommitted, the EHR and CDS Service SHALL communicate the JWK Set out-of-band.
513514

514-
An example JSON web token header and payload:
515+
An example JSON web token header, payload, and JWK set:
515516

516517
```json
518+
// JSON Web Token Header
517519
{
518520
"alg": "ES384",
519521
"typ": "JWT",
520522
"kid": "example-kid",
521523
"jku": "https://fhir-ehr.example.com/jwk_uri"
522524
}
523525

526+
// JSON Web Token Payload
524527
{
525528
"iss": "https://fhir-ehr.example.com/",
526529
"sub": "client_id",
527530
"aud": "https://cds.example.org/cds-services/some-service",
528531
"exp": 1422568860,
529532
"iat": 1311280970,
530-
"jti": "ee22b021-e1b7-4611-ba5b-8eec6a33ac1e"
533+
"jti": "ee22b021-e1b7-4611-ba5b-8eec6a33ac1e",
534+
"tenant": "2ddd6c3a-8e9a-44c6-a305-52111ad302a2"
535+
}
536+
537+
// JSON Web Key Set (public key)
538+
// This public key is used by the CDS Service to verify the signature of the JWT
539+
{
540+
"keys":[
541+
{
542+
"kty": "EC",
543+
"use": "sig",
544+
"crv": "P-384",
545+
"kid": "example-kid",
546+
"x": "46SDH7Znh821wblCBglA61sNE9ZrHYKKt3qRtRTmSXyOI_FIGBLWrWa0GPUkDCEk",
547+
"y": "XMcRuuoGW7CXjQdy-F5i3FeBE0x9hPLdeFdSoDd3ELmx404tLX0VRRcqzAsPhXcI",
548+
"alg": "ES384"
549+
}
550+
]
551+
}
552+
553+
// JSON Web Key (private key)
554+
// This private is used by the EHR to sign the JWT
555+
{
556+
"kty": "EC",
557+
"d": "SeFXUXda8UomZ8GFUl7HH_Oi15rIbfMcsWj9ecIsDR8kLbqsEz2CGNgwy_IcILxy",
558+
"use": "sig",
559+
"crv": "P-384",
560+
"kid": "example-kid",
561+
"x": "46SDH7Znh821wblCBglA61sNE9ZrHYKKt3qRtRTmSXyOI_FIGBLWrWa0GPUkDCEk",
562+
"y": "XMcRuuoGW7CXjQdy-F5i3FeBE0x9hPLdeFdSoDd3ELmx404tLX0VRRcqzAsPhXcI",
563+
"alg": "ES384"
531564
}
532565
```
533566

534-
Using the above JWT payload, the complete JWT as passed in the Authorization HTTP header would be:
567+
Using the above JWT values and JWKs, the complete JWT as passed in the Authorization HTTP header would be:
535568

536569
```
537-
Authorization: Bearer eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6ImV4YW1wbGUta2lkIiwiamt1IjoiaHR0cHM6Ly9maGlyLWVoci5leGFtcGxlLmNvbS9qd2tfdXJpIn0.eyJpc3MiOiJodHRwczovL2ZoaXItZWhyLmV4YW1wbGUuY29tLyIsInN1YiI6ImNsaWVudF9pZCIsImF1ZCI6Imh0dHBzOi8vY2RzLmV4YW1wbGUub3JnL2Nkcy1zZXJ2aWNlcy9zb21lLXNlcnZpY2UiLCJleHAiOjE0MjI1Njg4NjAsImlhdCI6MTMxMTI4MDk3MCwianRpIjoiZWUyMmIwMjEtZTFiNy00NjExLWJhNWItOGVlYzZhMzNhYzFlIn0.230VxOubItskK-HCzdfjR5Y76nEydquQoqK-JDHbl8y8wzo-7HJetYpY1R4rytp_yJJCc8DULX9G5llPKx6opQ
570+
Authorization: Bearer eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6ImV4YW1wbGUta2lkIiwiamt1IjoiaHR0cHM6Ly9maGlyLWVoci5leGFtcGxlLmNvbS9qd2tfdXJpIn0.eyJpc3MiOiJodHRwczovL2ZoaXItZWhyLmV4YW1wbGUuY29tLyIsInN1YiI6ImNsaWVudF9pZCIsImF1ZCI6Imh0dHBzOi8vY2RzLmV4YW1wbGUub3JnL2Nkcy1zZXJ2aWNlcy9zb21lLXNlcnZpY2UiLCJleHAiOjE0MjI1Njg4NjAsImlhdCI6MTMxMTI4MDk3MCwianRpIjoiZWUyMmIwMjEtZTFiNy00NjExLWJhNWItOGVlYzZhMzNhYzFlIiwidGVuYW50IjoiMmRkZDZjM2EtOGU5YS00NGM2LWEzMDUtNTIxMTFhZDMwMmEyIn0.CUFPkplnWd6YGIvzoHolWCQBDsCL8QtTWKGg_QFpS169WrqDGzktRi-_we6-6rVzbjerU27ZKww_SW0-b9RTz-dPJNcqsueMio8r6EqXUXhbLm_ch3XFSbDlGHDl_tqo
538571
```
539572

540573
### Cross-Origin Resource Sharing

0 commit comments

Comments
 (0)