2

I am trying to define the following custom scopes in AWS Cognito (launch, aud, offline_access, online_access, fhirUser). These scopes are for SMART on FHIR.

However, I am only able to define custom scopes of the form <resourceServerIdentifier>/<scopeName> by defining resources servers.

I want to define "bare" scopes that either include the resourceIdentifier by itself or scopeName by itself.

Indeed the AWS Cognito docs do specify that in requesting a scope a client must include the full identifier for the scope.

"Bare" scopes are such a common use in OAuth that I believe there should be a work around to support it. Has anyone been able to resolve this?

rmharrison
  • 4,730
  • 2
  • 20
  • 35
Elijah
  • 21
  • 1
  • 1
    what is not very clear to me it's if you want the resource server anyway or if you are using it because you are trying a workaround for setting up custom scopes. If you don't want to use a resource server, I think that you need to use a combination of scopes from (openid fhirUser (or openid profile)), there is a suggested project on aws documentation, maybe you have found this already [https://github.com/awslabs/fhir-works-on-aws-deployment] – stamstam Sep 01 '20 at 12:47
  • @stamstam I wanted to create scopes for `launch`, `offline_access` and `online_access`. These are "bare" because there is no separate identifier and scopeName (like `launch/patient`). Thanks for flagging the AWS labs project. Unfortunately, it doesn't broach the SMART on FHIR launch sequences that use `scope: launch`, thereby side-stepping the issue of "bare" scopes, and some other Cognito limitations. – rmharrison Nov 11 '20 at 02:50
  • Hi @rmharrison, did you ever get anywhere with bare scopes? – Michael J Lawley Sep 14 '21 at 04:21

0 Answers0