Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2556

SPIKE: investigate refresh tokens support in FOLIO

    XMLWordPrintable

Details

    • CP: sprint 86, CP: sprint 87, CP: sprint 126, CP: sprint 127, CP: sprint 128
    • 3
    • Core: Platform

    Description

      Relates to FOLIO-1233 – this ticket needs to be updated with an implementation plan.

      See https://wiki.folio.org/display/DD/Refresh+Tokens

      See https://docs.google.com/document/d/1K_QdgnOo2wOSfY-rQ8phOD6nCO_3jvdAnEG0BEqtnjU/edit# "FOLIO Authentication Token Architecture Improvements"

      Much of the outstanding work is fairly straight forward. However, in reading through the comments in FOLIO-1233, and based on conversations I've had with frontend developers, it seems the two biggest unknowns are:

      • How do we handle access token expiration in the context of module-to-module communication
        • Always check token expiry during authorization
        • Tokens w/o a valid expiration will be rejected
        • Tokens generated for module-to-module purposes have a new expiration - this should be long enough that request timeouts will likely happen before tokens expire, but will mitigate the impact of a sniffed/stolen token.
      • How do we incorporate refresh tokens into the UI.
        • Discussed with zburke - Will create a story (Spike) against stripes-connect and elicit feedback from the stripes community

      TestRail: Results

        Attachments

          Issue Links

            blocks

            Umbrella - FOLIO-2524 Security Audit raised issues

            • P2 - normal priority level, must be included in the current development cycle
            • Open

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-64 Enforce access token expiration

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. STCON-101 SPIKE: use and rotate refresh tokens

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            relates to

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. EDGCOMMON-22 Implement Silent Refresh

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Draft

            New Feature - New feature requests FOLIO-1233 Implement refresh tokens

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-64 Enforce access token expiration

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-66 Gracefully handle access token expiration in module-to-module communication

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Open

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-67 One-time use refresh tokens

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-68 Use JWT for refresh tokens

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-69 Refactor/combine /token and /refreshtoken endpoints

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODLOGSAML-57 Furnish a refresh token upon login

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Open

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. SIP2-71 Spike: Determine and implement strategy for handling X-Okapi-Token expiration/invalidation

            • P2 - normal priority level, must be included in the current development cycle
            • Open

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. STCON-101 SPIKE: use and rotate refresh tokens

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. FOLIO-2523 SPIKE: improve design of authn/z

            • P2 - normal priority level, must be included in the current development cycle
            • Blocked

            Bug - A problem which impairs or prevents the functions of the product. MODAT-60 Token invalid across cluster

            • TBD - To be determined
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODAT-65 Configurable access/refresh token expiration

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Draft

            New Feature - New feature requests MODLOGIN-119 change login API to return tokens in the body and not in private headers

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. STCOR-484 implement client-side handling of refresh tokens

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • In progress

            Activity

              People

                stevel Steve Ellis
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases