FHIR Chat · MSAL Hides Refresh Tokens · smart

Stream: smart

Topic: MSAL Hides Refresh Tokens

view this post on Zulip Torin Shepard (Feb 04 2021 at 21:34):

Need help using MSAL which does not issue refresh tokens.

SMART App Launch Framework documentation describes explicit use of refresh tokens.

SMART retrieval and refresh sequence
https://www.hl7.org/fhir/smart-app-launch/#smart-retrieval-and-refresh-sequence

App uses a refresh token to obtain a new access token
https://www.hl7.org/fhir/smart-app-launch/#step-5-later-app-uses-a-refresh-token-to-obtain-a-new-access-token

Client apps request refresh token via offline_access scope. EHR FHIR Server supplies refresh_token in response back to the client. Client uses refresh token to request new access tokens when the old access tokens expire.

FHIR Servers that use with Azure Active Directory (AAD) authentication through Mircosoft Authentication Library (MSAL) cannot follow this flow because MSAL does not return refresh tokens anymore. Although Azure Active Directory Library (ADAL) returned refresh tokens, MSAL does not.

Stack Overflow posting - Get refresh token with MSAL
https://stackoverflow.com/questions/48952087/get-refresh-token-with-azure-ad-v2-0-msal-and-asp-net-core-2-0/58482043#58482043

MSAL does not expose the refresh token, but rather keeps it internal and handles all token refresh and caching logic on the app's behalf.

With reference to the OAuth2 protocol, MSAL completes steps related to refresh tokens on your behalf. It goes to the /token endpoint with an authorization code (after the end user signs in), and is issued an Access and Refresh token. The Access Token is valid for 1 hour, and when it's expired, MSAL AcquireTokenSilent will automatically use the refresh token against the /token endpoint to get a new access token.

Although ADAL returned refresh tokens, the MSAL library does not. Although a FHIR Server gets access tokens from MSAL, it cannot get refresh tokens from MSAL. Can the SMART on FHIR protocol specification be interpreted or implemented differently from the information last published in November 2018?

SoF IG version published 2018-Nov-13 based on FHIR version 3.0.1 does not give any consideration to the possibility that EHR Authz will use an authentication provider that does not expose refresh tokens.

"7.1.6 Step 5: (Later…) App uses a refresh token to obtain a new access token" assumes all EHRs will be capable of supplying a refresh_token in the token response. Any EHR Authz server that uses MSAL cannot issue refresh tokens from Microsoft because MSAL no longer gives them. This means it will not be possible to follow 7.1.4 SMART retrieval and refresh sequence https://www.hl7.org/fhir/smart-app-launch/#smart-retrieval-and-refresh-sequence because the refresh tokens are handled completely internally to MSAL used by the EHR Authz Server.

Can anyone give opinions/guidance on whether silent, implicit handling of refresh tokens is still compliant with SMART on FHIR? Will SOF documentation ever be updated to describe authorization flows where refresh token lifecycle is handled by only the FHIR server but not the client?

Would the following alternative flow be acceptable when client will have only access tokens but will never have refresh tokens?

  • Only the FHIR server will have refresh tokens.
  • When an access token expires, FHIR server will return not authorized response to the client app.
  • How can/should client request a new access token when client will never have a refresh token?
  • Can client POST to FHIR server token endpoint with grant_type=refresh_token&refresh_token={expired access token} ?
  • FHIR server can validate the expired access token, confirm the internal refresh token life cycle time has not expired, use MSAL to get new access token, and return this new access token back to the client.

view this post on Zulip Torin Shepard (Feb 09 2021 at 18:35):

https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/228
This posting suggests Microsoft made an intentional design decision to hide refresh tokens even though this decision contradicts the SoF protocol.

view this post on Zulip Josh Mandel (Feb 09 2021 at 18:43):

I think this library wants to handle refresh tokens internally, rather than exposing them to the caller. That's not actually a SMART on FHIR protocol issue, so much as a library-internal design decision. But this library may not be a good choice for your needs.

view this post on Zulip Torin Shepard (Feb 22 2021 at 23:08):

Thank you Josh! After more investigation, we learned "ADAL to MSAL migration" at https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java explains MSAL for Java has an API that allows migrating refresh tokens acquired with ADAL4J. We also learned more about MSAL token cache and how it stores refresh tokens.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -