Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2556

SPIKE: investigate refresh tokens support in FOLIO

    XMLWordPrintable

Details

    • CP: sprint 86, CP: sprint 87, CP: sprint 126, CP: sprint 127, CP: sprint 128
    • 3
    • Core: Platform

    Description

      Relates to FOLIO-1233 – this ticket needs to be updated with an implementation plan.

      See https://wiki.folio.org/display/DD/Refresh+Tokens

      See https://docs.google.com/document/d/1K_QdgnOo2wOSfY-rQ8phOD6nCO_3jvdAnEG0BEqtnjU/edit# "FOLIO Authentication Token Architecture Improvements"

      Much of the outstanding work is fairly straight forward. However, in reading through the comments in FOLIO-1233, and based on conversations I've had with frontend developers, it seems the two biggest unknowns are:

      • How do we handle access token expiration in the context of module-to-module communication
        • Always check token expiry during authorization
        • Tokens w/o a valid expiration will be rejected
        • Tokens generated for module-to-module purposes have a new expiration - this should be long enough that request timeouts will likely happen before tokens expire, but will mitigate the impact of a sniffed/stolen token.
      • How do we incorporate refresh tokens into the UI.
        • Discussed with zburke - Will create a story (Spike) against stripes-connect and elicit feedback from the stripes community

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                stevel Steve Ellis
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases