FHIR Chat · New refresh token · inferno

Stream: inferno

Topic: New refresh token

view this post on Zulip Jenni Syed (Aug 06 2020 at 19:58):

There's a test in inferno that fails if a new refresh token isn't supplied on token refresh... I assume that should be looking for a new access token... not a new refresh token? OAuth 2 states a server can create a new refresh token, but doesn't have to

view this post on Zulip Jenni Syed (Aug 06 2020 at 19:59):

cc @Josh Mandel to make sure I didn't miss something in SMART

view this post on Zulip Jenni Syed (Aug 06 2020 at 19:59):

Test in question: "SPD-TR-06: Server supplies new refresh token as required by ONC certification criteria"

view this post on Zulip Jenni Syed (Aug 06 2020 at 20:03):

I thought the only requirement from ONC was how long the refresh token was good for after refresh

view this post on Zulip Josh Mandel (Aug 06 2020 at 20:03):

Agreed @Jenni Syed -- this is a decision servers make. SMART says:

The refresh token issued by the authorization server. If present, the app should discard any previosu (sic!) refresh_token associated with this launch, replacing it with this new value.

view this post on Zulip Robert Scanlon (Aug 06 2020 at 20:57):

This is very specifically an ONC requirement, not an OAuth or SMART requirement. We isolated it into its own test to separate it from SMART & OAuth reqs.

view this post on Zulip Robert Scanlon (Aug 06 2020 at 20:59):

Paragraph (10)(v)(A)(2)

For subsequent connections, access must be granted to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) without requiring re-authorization and re-authentication when a valid refresh token is supplied by the application. Additionally, an application capable of storing a client secret must be issued a new refresh token valid for a new period of no less than three months.

view this post on Zulip Robert Scanlon (Aug 06 2020 at 21:02):

And in the test procedure:

The health IT developer demonstrates the ability of the Health IT Module to issue a new refresh token valid for a period of no shorter than three months without requiring re-authentication and re-authorization when a valid refresh token is supplied by the application according to the implementation specification adopted in § 170.215(a)(3).

view this post on Zulip Jenni Syed (Aug 06 2020 at 21:03):

Ok, we'll log something for clarification with ONC. I assume the important part of that was how long the refresh token is good for. The spec doesn't require a new token get issued, and ours are already good for more than the required time.

view this post on Zulip Josh Mandel (Aug 06 2020 at 21:13):

That sounds right Jenni! I think the important functional requirement is: after a refresh, the app now has a refresh token with life of at least 3 months. Whether it's the same or different from the previous refresh token should be in implementation detail.

view this post on Zulip Robert Scanlon (Aug 06 2020 at 21:24):

Thanks Jenni -- providing feedback to ONC is the way to go so they can provide guidance if they think its necessary. The inferno team did very intentionally write this test based on the language in the rule, knowing it is not an OAuth requirement.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -