Update: Date changed to Thursday, Nov 12th.
On Nov 12th we will be updating the keys used to create HealthVault credential tokens (which enable the “Keep me signed-in” feature). Depending on the configuration of your application ID, and whether or not your application appropriately handles HealthVault Error Code 7 (translated by the .NET SDK to HealthServiceCredentialTokenExpiredException), your users may need to take action.
Your users may be impacted if your application relies on persistent user tokens – i.e. you have configured the “Automatic user sign-in duration” field in the Application Configuration Center (sample screenshot in Fig 1.). If your application leverages the HealthVault .NET SDK, the SDK will automatically store a persistent cookie on the user’s machine with the expiry set to the number of seconds that you have configured. If your application is not leveraging the .NET SDK, you have determined how you want to persist the token and are managing its expiry.
Fig1. Application Configuration for “Keep me signed-in” feature.
Once our keys have been updated on Nov 11th, these user tokens will no longer be valid. When users who have previously checked the “Keep me signed in” box (sample screenshot below, Fig 2.) interact with a feature in your application that requires them to be signed into HealthVault, their token will not be accepted by the HealthVault platform, and you’re application will receive an error from HealthVault.
Fig 2. HealthVault Sign-In process showing “Keep me signed-in” feature.
The impacted workflow is as follows:
1. A user who has previously checked the “Keep me signed in” box interacts with your application and initiates an action that requires them to be signed in to HealthVault.
2. Since a persistent token exists for the user, they will not be redirected to HealthVault to log in. Whether your application uses the .NET SDK or not, the token will be presumed to be valid if it is not yet expired.
3. Your application will then attempt to use that token to make a request to HealthVault.
The result will be an error back from HealthVault – Error Code 7, or HealthServiceCredentialTokenExpiredException (.NET SDK). Your application should be handling this situation by removing the cookie/deleting the token, and redirecting the user to HealthVault to sign in (sample for .NET). If your application is not appropriately handling this error, your users may receive an error from your application. If your application is leveraging the .NET SDK, your guidance to them should be to delete their browser cookies, and we would recommend adding this to your Help files.
As an aside, if your users are using HealthVault Connection Center to upload data from a device, they will need to either sign out and sign back in, exit and restart the application, or restart their computer. They will receive an upload error until they do so.
UPDATE: Added link to sample showing how to Handle HealthServiceCredentialTokenExpiredException.