FHIR Chat · Issuing a new refresh token from and old refresh token · smart

Stream: smart

Topic: Issuing a new refresh token from and old refresh token

view this post on Zulip Cooper Thompson (Mar 12 2019 at 13:22):

In the ONC NPRM, this process is described for using a refresh token to get a new refresh token:

Further, we propose that once a valid refresh token has been used to get a new access token that the FHIR server
must demonstrate that it can issue a new refresh token to the app, which must be for a new period no shorter
than three months. For example, if an application were issued a refresh token that was good for three months
upon its first-ever connection and then subsequently connected to the FHIR server one month later, the FHIR
server would need to enable that connection to occur without re-authentication and re-authorization, and it
would need to issue a new refresh token for a new three-month period from that access date.

Is this actually allowed by either SMART or OAuth 2.0? I can't find any reference in either the SMART guide or the OAuth 2.0 RFC about arbitrarily extending access by re-issuing new refresh tokens. This approach effectively makes refresh token expiration irrelevant, I'm assuming it isn't intended by SMART/OAuth 2.0, but since it isn't explicitly disallowed, I was hoping to get confirmation.

view this post on Zulip Drew Torres (Mar 12 2019 at 13:26):

I believe it is an OAuth 2.0 concept.

view this post on Zulip Drew Torres (Mar 12 2019 at 13:28):

https://tools.ietf.org/html/rfc6749#section-1.5

view this post on Zulip Drew Torres (Mar 12 2019 at 13:30):

The question of refresh token expiration is valid. How often do you want the user to enter in credentials for an application that has the ability to impersonate you? Every 3 months, yearly, or indefinitely?

view this post on Zulip John Moehrke (Mar 12 2019 at 13:30):

The expiration in the token is the expiration for that token. you refresh to see if you have continual authorization. In this way the user can revoke background access, and it will be effective upon next refresh. The size of this token expiration is a ballance between user-experience vs noise.

view this post on Zulip Cooper Thompson (Mar 12 2019 at 13:57):

@Andrew Torres I must have missed paragraph H when I looked at the RFC. Thanks for the reference.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -