ЕСОЗ - публічна документація
RC_Renew access token using refresh token (CSI-2660)
- Maxim Martynenko (SoE eHealth)
Purpose
This WS is designed to renew access token using refresh token. It is available to renew access token as many time as needed during the lifetime of refresh token
Key points
Refresh token must be valid and not revoked
User must be active and not black-listed
For confidant person it is needed to validate relationship on each refresh
Specification
Validations
Authorization
Verify the validity of the refresh token
in case of error - return 401 (“Invalid access token”)
Verify that token is not expired
in case of error - return 401 (“Token expired.”)
Validate client
Check
client_idis submittedin case of error - return 422 ('can't be blank')
Check
client_idexists in mithril databasein case of error - return 401 ('Invalid client id.')
Check
client_secretis submittedin case of error - return 422 ('can't be blank')
Check
client_secretis valid in accordance toclient_idin case of error - return 401 ('Invalid client id or secret.')
Validate refresh token
Check
refresh_tokenis associated with requestedclient_idin case of error - return 401 ('Token not found or expired.')
Validate existing approval
Check that approval exists and is valid for this user, applicant user and requested client by app_id in refresh token details
in case of error - return 401 ('Resource owner revoked access for the client.')
Validate requested scopes
If refresh token details contain
scope_requestfield that is not empty or null - check that scopes in field are present in existing approval for this user, applicant user and clientin case of error - return 401 ('Resource owner revoked access for the client.')
Check patient legal capacity or relationship between patient and confidant person (optional)
This additional validations must be done only for patients token - if person_id exists in token details and is not empty.
Get applicant_person_id from token details, compare it to person_id from token:
if equal - check whether person corresponds to following rules:
persons age < no_self_registration_age global parameter;
persons age between no_self_registration_age and person_full_legal_capacity_age global parameters and person does not have document with type from PIS_PERSON_LEGAL_CAPACITY_DOCUMENT_TYPES config parameter;
persons age > person_full_legal_capacity_age global parameter and exists at least one active and approved confidant person relationship for person (using following process Check confidant person relationship with person_id =
person_idfrom token details - expected:ok, :approvedresponse)if person does not correspond to rules - skip validation
if person corresponds to rules - check that requested scopes (from
scope_requestor existing approval) exist in PIS_READ_ONLY_SCOPES_ALLOWED config parameterin case of error - return 422 ('Requested scopes do not match with allowed scopes for the user.')
if not equal - get confidant person relationship status using following process Check confidant person relationship with person_id =
person_idand confidant_person_id =applicant_person_idfrom token details:if process returns
:error, :not_found- return 401 ('Can’t confirm relationship')if process returns
:ok, :approved- skip validationif process returns
:ok, :not_approved- check that requested scopes (fromscope_requestor existing approval) exist in PIS_NOT_VERIFIED_RELATIONSHIP_SCOPES_ALLOWED config parameterin case of error - return 422 ('Requested scopes do not match with allowed scopes for the user.')
Service logic
Generate new
access_tokenaccording to the logic, described here Exchange oAuth Code Grant to Access Token | Logicif refresh token details contain
scope_requestfield that is not empty or null - use its scopes for new access token.if refresh token details does not contain
scope_requestfield or contains but field is empty or null - use scopes from existing approval for this user, applicant user and client for new access token.
ЕСОЗ - публічна документація