Data Sharing Framework is Missing Session Timeout for OIDC Sessions
OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.
Advisories for Maven/Dev.dsf/Dsf-Bpe-Server package
2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions
OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache
The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming …