Details
-
Task
-
Status: Closed (View Workflow)
-
P3
-
Resolution: Done
-
None
-
-
CP: sprint 86, CP: sprint 87, CP: sprint 126, CP: sprint 127, CP: sprint 128
-
3
-
Core: Platform
Description
Relates to FOLIO-1233 – this ticket needs to be updated with an implementation plan.
See https://wiki.folio.org/display/DD/Refresh+Tokens
See https://docs.google.com/document/d/1K_QdgnOo2wOSfY-rQ8phOD6nCO_3jvdAnEG0BEqtnjU/edit# "FOLIO Authentication Token Architecture Improvements"
Much of the outstanding work is fairly straight forward. However, in reading through the comments in FOLIO-1233, and based on conversations I've had with frontend developers, it seems the two biggest unknowns are:
- How do we handle access token expiration in the context of module-to-module communication
- Always check token expiry during authorization
- Tokens w/o a valid expiration will be rejected
- Tokens generated for module-to-module purposes have a new expiration - this should be long enough that request timeouts will likely happen before tokens expire, but will mitigate the impact of a sniffed/stolen token.
- How do we incorporate refresh tokens into the UI.
- Discussed with zburke - Will create a story (Spike) against stripes-connect and elicit feedback from the stripes community
TestRail: Results
Attachments
Issue Links
- blocks
-
FOLIO-2524 Security Audit raised issues
-
- Open
-
-
MODAT-64 Enforce access token expiration
-
- Closed
-
-
STCON-101 SPIKE: use and rotate refresh tokens
-
- Closed
-
- relates to
-
EDGCOMMON-22 Implement Silent Refresh
-
- Draft
-
-
FOLIO-1233 Implement refresh tokens
-
- Closed
-
-
MODAT-64 Enforce access token expiration
-
- Closed
-
-
MODAT-66 Gracefully handle access token expiration in module-to-module communication
-
- Open
-
-
MODAT-67 One-time use refresh tokens
-
- Closed
-
-
MODAT-68 Use JWT for refresh tokens
-
- Closed
-
-
MODAT-69 Refactor/combine /token and /refreshtoken endpoints
-
- Closed
-
-
MODLOGSAML-57 Furnish a refresh token upon login
-
- Open
-
-
SIP2-71 Spike: Determine and implement strategy for handling X-Okapi-Token expiration/invalidation
-
- Open
-
-
STCON-101 SPIKE: use and rotate refresh tokens
-
- Closed
-
-
FOLIO-2523 SPIKE: improve design of authn/z
-
- Blocked
-
-
MODAT-60 Token invalid across cluster
-
- Closed
-
-
MODAT-65 Configurable access/refresh token expiration
-
- Closed
-
-
MODLOGIN-119 change login API to return tokens in the body and not in private headers
-
- Closed
-
-
STCOR-484 implement client-side handling of refresh tokens
-
- In progress
-