FHIR Chat · User Session Token ExpirationTime · implementers

Stream: implementers

Topic: User Session Token ExpirationTime

view this post on Zulip Joel Hansen (Aetna) (Jun 05 2020 at 15:15):

Hi all,

Aetna is working on the Authentication and Consent piece of Patient Access API. We are wondering what others are using as expiry times for their user tokens. Token granted at the time of authentication, before we force the user to re-authenticate. I did a few searches on Zulip and couldn't find a consensus. I think it is up to the implementers to decide, but wanted to see what others are doing.

Thanks in advance
Joel

view this post on Zulip Michele Mottini (Jun 05 2020 at 17:12):

CMS uses 10 hours (on the long side), Anthem uses 30 minutes (maybe too short), anything between those two should be good. Longer are a little bit riskier security-wise obviously.
(You support refresh tokens I assume?)

view this post on Zulip Cooper Thompson (Jun 08 2020 at 13:53):

We use 60 minutes.

view this post on Zulip Josh Mandel (Jun 08 2020 at 16:26):

I'd avoid providing IG-specific advice on this point. Would refer to the SMART authz guide (which today says "Access tokens SHOULD have a valid lifetime no greater than one hour.").

view this post on Zulip Josh Mandel (Jun 08 2020 at 16:28):

and indeed the strong preference is to support refresh tokens, to keep the access tokens short-lived without interrupting the user to re-authenticate.

view this post on Zulip Joel Hansen (Aetna) (Jun 10 2020 at 13:17):

@Michele Mottini , @Cooper Thompson, @Josh Mandel Thanks so much for the replies. We had proposed 24hours but that sounds like it's waaay too long of t ime. Will probably look at the 60 minute time.

Joel

view this post on Zulip Josh Mandel (Jun 10 2020 at 13:42):

Sure thing. And yeah, I would definitely recommend steering clear of specifying anything that you don't need to in a particular guide. Or if you want to say something, keep it at the level of advice and not requirements.

view this post on Zulip Suma Addagadde (Jun 28 2020 at 23:54):

Our company has decided to implement a validity period of 3 months for refresh token (long lived) before user is asked to authorize again. The 3rd party apps would use this refresh token to request for new access tokens (short lived) when it expires

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -