Refresh token

[Federico Nieto]

Hi,

I'm having an issue with the auth token not refreshing. As I log in as a practitioner, I can obtain information for several patients but after some minutes, the requests start returning authentication errors. I'm using swift-SMART SDK for iOS. Should I take a look at the implementation? Is there a scope I need to include in order to make it work? 

Thanks in advance, 
Fede.

[Kol Kheang (Cerner)]

Hi Fede,

Can you post your question here https://groups.google.com/forum/#!forum/smart-on-fhir?  Cerner does not own swift-SMART SDK for iOS.

Regards,

Kol

[Federico Nieto]

Oh thanks, 

I thought maybe it could be related to a sandbox configuration.

Thanks.

[Federico Nieto]

Hi again, I could not figure out what the problem can be. Below there is an example of the response headers I'm getting after ten minutes using the app. 

▿ 9 elements

  ▿ 0 : 2 elements

    - key : "Content-Type"

    - value : "text/html"

  ▿ 1 : 2 elements

    - key : "Status"

    - value : "401 Unauthorized"

  ▿ 2 : 2 elements

    - key : "Content-Length"

    - value : "0"

  ▿ 3 : 2 elements

    - key : "Www-Authenticate"

    - value : "Bearer realm=\"fhir-ehr.sandboxcerner.com\", error=\"invalid_token\", error_description=\"Signature has expired\""

  ▿ 4 : 2 elements

    - key : "Server-Response-Time"

    - value : "14.193773"

  ▿ 5 : 2 elements

    - key : "X-Request-Id"

    - value : "f1fb4c3b515eab4fe4615150266a46ce"

  ▿ 6 : 2 elements

    - key : "Vary"

    - value : "Origin,User-Agent,Accept-Encoding"

  ▿ 7 : 2 elements

    - key : "Date"

    - value : "Tue, 04 Sep 2018 17:05:13 GMT"

  ▿ 8 : 2 elements

    - key : "Cache-Control"

    - value : "no-cache"


The error seems to be related to the following: "Bearer realm=\"fhir-ehr.sandboxcerner.com\", error=\"invalid_token\", error_description=\"Signature has expired\"".

Any hints?

Thanks in advance,
Fede.

[Jenni Syed (Cerner)]

Fede,

Were you able to confirm that the library is attempting to auto-refresh the token? Or are you writing code to refresh the token before each call to the FHIR server? If so, and it received an error during the refresh, can you provide the correlation id from that error response?

The response above is attempting to use a non-refreshed token to call the FHIR server, hence the expiry error.

Regards,

Jenni

[Federico Nieto]

Hi Jenni,

Thanks for your response. The library does not auto-refresh the token. From swift-SMART in github, they told me to call smart.authorize which should refresh the token if one is present. I've written code to refresh the token every five minutes (basically once the user is logged in I call smart.authorize every five minutes). I've tested it on the Smart Health IT sandbox and it's working apparently. But in Cerner, I think that the token is not getting refreshed.

Any hints?
Thanks!
Fede.

[Jenni Syed (Cerner)]

Fede,

Did the app request online_access or offline_access scopes when the app authorized? Did that scope get returned from the initial token request along with the refresh token? Is there an error returned from the token refresh? 

~ Jenni

[Federico Nieto]

Jenni,

Thanks for your answer. I was not passing the online_access scope. Now it seems to be working, however I'd like to know which is the best approach?

- Refresh the token every four minutes.
- Every time the user makes a request, check the authorization and then make the request.

Thanks!
Fede.

[Jenni Syed (Cerner)]

Hi Fede,

Here's the recommendation on utilizing refresh tokens: https://fhir.cerner.com/authorization/#utilizing-refresh-tokens

It's similar to option 2 below, but it does this out of band rather than holding up an active request and would likely account for a small amount of padding. EG: a minute before it expires? The expiry is returned with the bearer token and should be tracked by the application rather than hard-coding any specific expiry (this expiry can vary by implementation, and can change in the future).

Regards,

Jenni