The core platform has been modified to support two security enhancements:
1. Token expiration
2. Token revocation
All modules that rely on the current login interface of mod-login need to replace use of the authn/login endpoint use the new authn/login-with-expiry endpoint.
This new endpoint will return a token pair consisting of a refresh token (RT) and an access token (AT) in the form of Set-Cookie headers. Both the AT and RT have a TTL, and the RT may be used to request a new AT/RT pair prior to expiration.
Converting to the new API is non-optional. The old login endpoint and the new login endpoint will not exist together in any FOLIO release, although both endpoints may be available in snapshot to ease the pain of switching over.
See the following page for details including: https://wiki.folio.org/pages/viewpage.action?pageId=96414255
- How RTR works
- How RTR will change FOLIO authentication and authorization
- Guide for implementing RTR for clients