search

Aidbox / Issues

Issue tracker for Aidbox FHIR backend by Health Samurai
7 stars 0 forks source link

[BUG] Access token does not expire #480

Closed pavlushkin closed 2 years ago

pavlushkin commented 2 years ago

Describe the bug According to HIPAA rules, we are going to implement automatic logout for SPA. We tried to configure the client, but it looks like it does not work.

Severity Major

Steps to reproduce the behavior:

  1. Create a Client 
    auth:
password:
access_token_expiration: 100
secret: '123456'
grant_types:
- password
id: SPA
resourceType: Client
  2. Do request using params: 
    {
    url: '/auth/token',
    method: 'POST',
    data: {
        username: data.email,
        password: data.password,
        client_id: 'SPA',
        client_secret: '123456',
        grant_type: 'password',
    },
}
  3. Wait 10 minutes and try to access data using the token.

Expected behavior Access token becomes invalid after provided expiration time.

Versions:

KGOH commented 2 years ago

@pavlushkin hello, we don't currently support token expiration for non-jwt tokens. Could you please try to reproduce your issue with such Client resource:

id: SPA
resourceType: Client
grant_types:
  - password
secret: '123456'
auth:
  password:
    access_token_expiration: 100
    token_format: jwt

Here's a notebook with steps we done https://aidbox.app/ExportedNotebook/fbb964aa-22f1-4bd2-ae03-77e522a582d7, expiration works as expected

Nesmeshnoy commented 2 years ago

@pavlushkin does it work for you?

pavlushkin commented 2 years ago

@Nesmeshnoy, it works perfectly, thank you!