Feat: Configure refresh token expiry #4525
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
3 Ignored Deployments
|
|
@thejwuscript is attempting to deploy a commit to the Medplum Team on Vercel. A member of the Team first needs to authorize it. |
| "min" : 0, | ||
| "max" : "1", | ||
| "type" : [{ | ||
| "code" : "date" |
There was a problem hiding this comment.
for our use case we'd like to specify a value here which is relative to the current time, not a fixed date parameter.
the expiration value is passed to the jose npm package, which treats number and Date values as the fixed expiration time in the claim (reference here), however string values are converted to a time span relative to the current time (reference here) - which matches the existing behaviour with the 2w default.
i think ideally this property would be a string which could either support the full range of jose formats, or perhaps a subset of this (to allow for easier validation in the medplum middleware)
There was a problem hiding this comment.
Yes I think if we can change the name of this field to refreshTokenLifetime and make it an expiry duration as a string (eg. '2w', '1h', etc.) that maps to jose formats as @josh- pointed out, that would be ideal 👍
There was a problem hiding this comment.
@thejwuscript - just wanted to make sure you saw the above comment from @ThatOneBro . This is our main feedback on the PR
There was a problem hiding this comment.
Yes, thanks very much for the feedback. I'll be making the changes.
Related to issue #4409
This PR allows project admins to optionally configure the expiry of a refresh token for a
ClientApplication.A
refreshTokenExpiryfield is added to theClientApplicationresource. The field is optional to allow backward compatibility. The value is used to generate theexpclaim on a refresh token.UI changes to the Medplum App is not addressed in this PR; it can be included here if necessary, or be made on a separate PR.