...
User logs in and gets back an AT and a RT
The application detects that the AT is expired or that a different AT is required
The application uses the RT to obtain a new AT and a new RT that replaces the old RT
Repeat 2 and 3 until the RT or the session expires
After the RT or the session expires, the user must authenticate again
By default RT’s expire after 30 minutes of inactivity, while the session can be kept alive for 10 hours by exchanging tokens at leas every 30 minutes.
It is highly recommended that the application always uses the RT from the latest exchange, as this will be valid the longest. The validity of old RT’s can not be guarantied, as the AS, at some point in the future, may be configured to revoke RT’s after a certain number of uses.
Example:
Login request (direct grant):
| Code Block |
|---|
== LOGIN == POST /auth/realms/ehealth/protocol/openid-connect/token HTTP/1.1 grant_type=password& username=cgi_clinical_b& password=Test1234& client_id=oio_mock |
Response with AT1 and RT1:
| Code Block | ||
|---|---|---|
| ||
HTTP/1.1 200 OK
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgO...",
"token_type": "bearer",
"not-before-policy": 1587013531,
"session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
"scope": "profile oio_custom email"
}
== RT0 ==
{
"jti": "c7c9fd0e-6145-48a1-b7da-a37888c81bbd",
"exp": 1587015346,
"nbf": 0,
"iat": 1587013546,
"iss": "https://saml.fut.trifork.com/auth/realms/ehealth",
"aud": "https://saml.fut.trifork.com/auth/realms/ehealth",
"sub": "7aee9a6c-906c-4dd1-ab9b-3d5ceaeac38e",
"typ": "Refresh",
"azp": "oio_mock",
"auth_time": 0,
"session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
"realm_access": {
"roles": [
"Organization.read",
"Task.search",
...
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile oio_custom email"
}
== Refresh med RT0 ==
|
Requesting new AT using RT1:
| Code Block |
|---|
POST /auth/realms/ehealth/protocol/openid-connect/token HTTP/1.1
grant_type=refresh_token&
client_id=oio_mock&
refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgO...
|
Response with AT2 and RT2:
| Code Block |
|---|
HTTP/1.1 200 OK
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgO...",
"token_type": "bearer",
"not-before-policy": 1587013531,
"session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
"scope": "profile oio_custom email"
}
== RT1 ==
{
"jti": "779263ee-cfe3-4b59-b456-4553dadfb82b",
"exp": 1587015623,
"nbf": 0,
"iat": 1587013823,
"iss": "https://saml.fut.trifork.com/auth/realms/ehealth",
"aud": "https://saml.fut.trifork.com/auth/realms/ehealth",
"sub": "7aee9a6c-906c-4dd1-ab9b-3d5ceaeac38e",
"typ": "Refresh",
"azp": "oio_mock",
"auth_time": 0,
"session_state": "c9b7eeb5-4d59-4016-9626-1e3587bfff35",
"realm_access": {
"roles": [
"Organization.read",
"Task.search",
...
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile oio_custom email"
}
== expired session med RT1 ==
|
Attempt requesting new AT after session expires using RT2
| Code Block |
|---|
POST /auth/realms/ehealth/protocol/openid-connect/token HTTP/1.1
grant_type=refresh_token&
client_id=oio_mock&
refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgO...
|
Error response
| Code Block |
|---|
HTTP/1.1 400 Bad Request
{
"error": "invalid_grant",
"error_description": "Session not active"
} |
By default RT’s expire after 30 minutes of inactivity, while the session can be kept alive for 10 hours by exchanging tokens at leas every 30 minutes.
...
Offline Tokens
Offline access is a feature described in OpenID Connect specification . The idea is that during login, your client application will request an Offline token instead of a classic Refresh token. The application can save this offline token in a database or on disk.
...