Purpose
This WS is designed to renew access token using refresh token. It is available to renew access token as many time as needed during the lifetime of refresh token
Key points
Refresh token must be valid and not revoked
User must be active and not black-listed
For confidant person it is needed to validate relationship on each refresh
Specification
Validations
Authorization
Verify the validity of the refresh token
in case of error - return 401 (“Invalid access token”)
Verify that token is not expired
in case of error - return 401 (“Token expired.”)
Validate client
Check
client_id
is submittedin case of error - return 422 ('can't be blank')
Check
client_id
exists in mithril databasein case of error - return 401 ('Invalid client id.')
Check
client_secret
is submittedin case of error - return 422 ('can't be blank')
Check
client_secret
is valid in accordance toclient_id
in case of error - return 401 ('Invalid client id or secret.')
Validate refresh token
Check
refresh_token
is associated with requestedclient_id
in case of error - return 401 ('Token not found or expired.')
Validate existing approval
Check that approval exists and is valid for this user and requested client
in case of error - return 401 ('Resource owner revoked access for the client.')
Check relationship between patient and confidant person (optional)
This validation must be done only in case when user_id
and applicant_user_id
are different as it means it is a part of confidant person process. In such case we must ensure that relationship between both this persons still valid
Get person_id
from user_id
and applicant_person_id
from applicant_user_id
Check relationship using /wiki/spaces/PCAB/pages/17415995422 and having person_id and applicant_person_id
If scope list in existing approval contains only scopes from env PIS_NOT_VERIFIED_RELATIONSHIP_SCOPES_ALLOWED - check relationship status equals to {:ok, {:approved, "Relationship is approved"}}
or {:ok, {:not_approved, "Relationship is not approved yet"}}
If scope list in existing approval contains more scopes than in env PIS_NOT_VERIFIED_RELATIONSHIP_SCOPES_ALLOWED check relationship status equals to {:ok, {:approved, "Relationship is approved"}}
If relationship status not confirmed - return 401 ('Can’t confirm relationship')
Service logic
Generate new
access_token
according to the logic, described here /wiki/spaces/PCAB/pages/17452269702