Accessing APIs with Client Credentials Grant and extend the token expiry time

pritish_jain · January 13, 2025, 5:08pm

I have been following this document to get client credentials grant for accessing the APIs. openemr/API_README.md at master · openemr/openemr · GitHub

It is understood that token provided using this grant is short lived (1 minute as stated) and refresh token is not issues. But If I were to use it in a closed environment what would be the option to extend the expiry time and if there are not expiry time is there any way to add refresh token to the response?

stephenwaite · January 13, 2025, 5:51pm

Hi @pritish_jain, it’s still possible to obtain the refresh token with that grant type even though not recommended.

adunsulag · January 13, 2025, 10:07pm

@stephenwaite have you seen this working with offline_access on client credentials grant? Pretty sure this gets tested as an inferno test case and should be rejected.

As for modifying the time, use at your own risk but the code option is here:

github.com

openemr/openemr/blob/1bf6c7dcb4ed66a0632dcfc8d8412903a1054ef8/src/Common/Auth/OpenIDConnect/Grant/CustomClientCredentialsGrant.php#L329


      
          $token = null;
          try {
              // http client required for fetching jwks from the jwks uri and makes unit testing easier
              $jsonWebKeySet = new JsonWebKeySet($this->getHttpClient(), $client->getJwksUri(), $client->getJwks());
          
          
              $configuration = Configuration::forUnsecuredSigner();
              $configuration->setValidationConstraints(
                  // we only allow 1 minute drift (note the 'T' specifier here, super important as we want to do time
                  // we had a bug here where P1M was a 1 month drift which is BAD.
                  new ValidAt(new SystemClock(new \DateTimeZone(\date_default_timezone_get())), new \DateInterval('PT1M')),
                  new SignedWith(new RsaSha384Signer(), $jsonWebKeySet),
                  new IssuedBy($client->getIdentifier()),
                  new PermittedFor($this->authTokenUrl), // allowed audience
                  new UniqueID($jwtRepository)
              );
          
              // Attempt to parse and validate the JWT
              $jwt = $this->getJWTFromRequest($request);
              // issuer = issue URI of sender application so redirectUri
              // subject claim

Edited Had wrong link.

stephenwaite · January 14, 2025, 5:07pm

hi @adunsulag , thanks for pointing that out. Sorry about that @pritish_jain.