Custom fields in response in additional OAuth 2 access token, refresh token and id token

sagarshah1983 · September 17, 2020, 9:13pm

Is there an option to add custom fields in the response generating access token from Hydra in addition to OAuth 2/Open ID Connect tokens?
I am referring to this need for SMART App on FHIR healthcare app, which is a specification on top of OAuth 2.0 + Open ID Connect.

https://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html#launch-context-arrives-with-your-access_token
This requires some additional fields to be returned by Authorization server based on some additional inputs (launch parameter)

Please advise, if there’s any such support/plugin/extension available or can be developed?
Appreciate!

hackerman · September 18, 2020, 10:12am

No, that is not possible. Also, it was partially already answered in one of your threads: Userinfo endpoint

sagarshah1983 · September 18, 2020, 9:21pm

Thanks for replying. Is there any support for plugins/extensions that we could write for custom scenarios that enable us to intercept certain request parameters on the OAuth server requests (and add additional fields to the token endpoint response)?

For info: SMART App on FHIR is the conformance on top of OAuth 2.0 and Open ID Connect, but there are not many open source providers available for this solutions, so we are trying to evaluate if we can build it with Hydra.

hackerman · September 19, 2020, 1:02pm

It is not possible to write extensions or plugins for ORY Hydra. I do not know the SMART or FHIR standards so I don’t really know what’s needed and what isn’t which means I can’t really answer your question regarding this

sagarshah1983 · September 19, 2020, 1:26pm

Thank you for responding. I know its not defined anywhere in OAuth 2 or OpenID Connect and has come up as a standard for health care applications.

(Just for info in nutshell about) SMART on FHIR capabilities: It requires oauth server to accept an additional “launch” parameter in addition to all supported for authorization code and return the response with certain additional fields, depending on the value of launch parameter passed to it earlier when requesting authorization code.
We could build something in here provided there’s a way in hydra to support some interceptors/plugins/extensions

hackerman · September 20, 2020, 6:42am

Could you point me to the relevant specification and specific section where this is explained? Thank you!

sagarshah1983 · September 20, 2020, 12:54pm

Sure!

This page lists the auth flow at high level for both scenarios EHR launch and standalone launch of a healthcare 3rd party app, which is part of SMART app launch criteria
https://hl7.org/fhir/smart-app-launch/index.html

This page defined the scopes that client should have. Most of them are standard except “launch”, “launch/*” related, which seems to add a different behavior on auth server - https://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html (Section 3 defines how the context data is shared from EHR application to 3rd party App using launch parameter and then passed on to OAuth server, which then returns the context information back to 3rd party app/client.

This page is listing the conformance page criteria with link to above other pages - https://hl7.org/fhir/smart-app-launch/conformance/index.html

Thank you for showing an interest.
Hope this helps.