I'm trying to implement refresh tokens in our app and I see that I need to switch my scope request from "online_access" to "offline_access" in order to satisfy my requirement. Is there anything I need to do to get my application approved for the "offline_access" scope?
Steps:
- I'm supplying the “offline_access” scope as a part of the corresponding query parameter in my request to trigger the authorization flow:
https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/patient/authorize?client_id=<CLIENT_ID>&response_type=code&redirect_uri=&scope=openid%20fhirUser%20profile%20offline_access&launch=&aud=https%3A%2F%2Ffhir-ehr.cerner.com%2Fr4%2Fec2458f2-1e24-41c8-b71b-0e701af7583d%2F&state=1d8b1965-4fd6-41c8-92ed-783190125e60
- Using the code received as a result of the first leg of the process, I am making a second call to retrieve the token(s):
curl --location 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <Base64(CLIENT_ID:CLIENT_SECRET)>' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=<CODE>' \
--data-urlencode 'client_id=<CLIENT_ID>'
In the response received as a result of step 2, the refresh token is missing. Further, the requested scope “offline_access” has vanished from the list of scopes (all other requested scopes are present). Neither of these 2 things happen when the scope “online_access” is used instead.