Hi Jenni,
Thanks for the link ( and the common issues), really useful.
I see your points about why shouldn't really use System Access. My new plan is to allow the user to EHR launch, then send the refresh_token to our app via QR code. My intention is to allow the user to 'pair' their new app with their EHR launched app and grab the relevant person data using a valid acces_token. As long as the app is open, they'll be able to access resources like on a browser / PC, refreshing the access_token, etc. The EHR app would also still be logged in
One thing that doesn't seem so clear please, the difference between online_access and offline_access revocation. What determines when the online_access session has expired with the stateless token? Ideally I wouldn't use offline_access as allows indefinite access. I want the user to be able to reopen the app, use a simple PIN to allow access to their saved session data (stored on the device), and exchange the stored refresh_token in the device for a new access_token.
If the user closes the EHR launched page, would this revoke the online_access refresh_token? Is there an actual life limit to the token?
How does one manually revoke the refresh_token? My plan is that from the app, the user can logout and forget the current tokens either manually or from failed PIN entries. But from their EHR launched browser they should be able to revoke all keys.
In the docs I saw it says that we have to 'revoke the original' issuance of the offline_access refresh_token, how does one do that please out of interest?
Many thanks,
Tobin