Versions Compared

Old Version 1

changes.mady.by.user Nicolai Gjøderum

Saved on

compared with

New Version 2

changes.mady.by.user Nicolai Gjøderum

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. User logs in and gets back an AT and a RT

  2. The application detects that the AT is expired or that a different AT is required

  3. The application uses the RT to obtain a new AT and a new RT that replaces the old RT

  4. Repeat 2 and 3 until the RT or the session expires

  5. After the RT or the session expires, the user must authenticate again

Example:

Code Block
== LOGIN ==

POST /auth/realms/ehealth/protocol/openid-connect/token HTTP/1.1

grant_type=password&
username=cgi_clinical_b&
password=Test1234&
client_id=oio_mock

HTTP/1.1 200 OK

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO...",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgO...",
    "token_type": "bearer",
    "not-before-policy": 1587013531,
    "session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
    "scope": "profile oio_custom email"
}

== RT0 ==
{
    "jti": "c7c9fd0e-6145-48a1-b7da-a37888c81bbd",
    "exp": 1587015346,
    "nbf": 0,
    "iat": 1587013546,
    "iss": "https://saml.fut.trifork.com/auth/realms/ehealth",
    "aud": "https://saml.fut.trifork.com/auth/realms/ehealth",
    "sub": "7aee9a6c-906c-4dd1-ab9b-3d5ceaeac38e",
    "typ": "Refresh",
    "azp": "oio_mock",
    "auth_time": 0,
    "session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
    "realm_access": {
        "roles": [
            "Organization.read",
            "Task.search",
      ...
        ]
    },
    "resource_access": {
        "account": {
            "roles": [
                "manage-account",
                "manage-account-links",
                "view-profile"
            ]
        }
    },
    "scope": "profile oio_custom email"
}


== Refresh med RT0 ==

POST /auth/realms/ehealth/protocol/openid-connect/token HTTP/1.1

grant_type=refresh_token&
client_id=oio_mock&
refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgO...

HTTP/1.1 200 OK

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO...",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgO...",
    "token_type": "bearer",
    "not-before-policy": 1587013531,
    "session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
    "scope": "profile oio_custom email"
}

== RT1 ==

{
  "jti": "779263ee-cfe3-4b59-b456-4553dadfb82b",
  "exp": 1587015623,
  "nbf": 0,
  "iat": 1587013823,
  "iss": "https://saml.fut.trifork.com/auth/realms/ehealth",
  "aud": "https://saml.fut.trifork.com/auth/realms/ehealth",
  "sub": "7aee9a6c-906c-4dd1-ab9b-3d5ceaeac38e",
  "typ": "Refresh",
  "azp": "oio_mock",
  "auth_time": 0,
  "session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
  "realm_access": {
    "roles": [
      "Organization.read",
      "Task.search",
      ...
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile oio_custom email"
}

== expired session med RT1 ==

POST /auth/realms/ehealth/protocol/openid-connect/token HTTP/1.1

grant_type=refresh_token&
client_id=oio_mock&
refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgO...

HTTP/1.1 400 Bad Request

{
    "error": "invalid_grant",
    "error_description": "Session not active"
}

By default RT’s expire after 30 minutes of inactivity, while the session can be kept alive for 10 hours by exchanging tokens at leas every 30 minutes.

...