Stream: smart
Topic: Several tokens per app
Mikael Rinnetmäki (Jun 10 2020 at 21:15):
In my patient-facing app, I’d like to preserve one token for the patient, for full access. Then I’d like to have another access token, with read-only rights with limited scope, for a use case where the user wants to share a view of the app with peer support / caregiver (or another party who is not a user of the EHR). Is there a way for me to ask for another token, so that the previously retrieved one stays valid too?
Isaac Vetter (Jun 10 2020 at 21:19):
with a second client id, yes.
Jenni Syed (Jun 10 2020 at 21:25):
Technically, per the general OAuth spec, one of the main reason scopes are both sent and can be returned to the app is so that scope "downgrades" can happen
Jenni Syed (Jun 10 2020 at 21:27):
So you could have 2 refresh tokens technically for the same application. In one when you kick off auth, you would request the full set. In another you could request a reduced set. Questions arise on how useful that is if they're stored in the same place and around the user possibly getting prompted twice to approve access.
Jenni Syed (Jun 10 2020 at 21:27):
Some systems could put specific limits on "sessions" for an app as well, but that's not covered in the spec
Jenni Syed (Jun 10 2020 at 21:28):
If they're used form a separate app/workflow, it may be useful to have separate client ids
Mikael Rinnetmäki (Jun 11 2020 at 06:15):
Thanks both, makes sense.
Last updated: Apr 12 2022 at 19:14 UTC
