Access Token expiration question #11
Comments
|
Also, if the HRSA file download process fails or times out for some reason, is the health center expected to just resubmit after a certain amount of time? If the download process will always fail because it isn't fast enough to get the data before token expiration, it seems like that would lead to an infinite loop of health center resubmission and HRSA job failure. |
|
Note that the resourceUrlExpirationTime in the manifest is the expiration of the URL, not for the access token. I don't think HRSA has any way to discover the expiration time of an access token presented in the manifest. |
|
Thanks Cooper, we are discussing these concerns and will get back to you. |
|
Would it make sense to have a collaborative discussion on a call focused on spec iteration, like we do for many other FHIR specs? |
When an EHR provides an access token as part of the manifest for HRSA to use to download files from the submitter, I don't see any language around how to handle expiration of that access token.
Access tokens should be short-lived (usually 60 minutes or less). We expect some health systems will have >4 million resources to submit. Assuming ~1000 resources per file, that would be 400 files of 1000 resources per file. If the HRSA infrastructure is doing validation on each resource, I could see the download process taking longer than an hour, in which case the access token would expire before all files get downloaded.
The specifics of file downloading are an internal HRSA implementation detail, but with the current spec, there is an implicit requirement that the HRSA download job completes before the access token expires. Given that there isn't guidance on how long the tokens last (some vendors might only issue 5 minute access tokens), it seems like either:
I'm not sure what the answer is, but some options could be:
The text was updated successfully, but these errors were encountered: