Uploaded image for project: 'mod-login'
  1. mod-login
  2. MODLOGIN-119

change login API to return tokens in the body and not in private headers

    XMLWordPrintable

Details

    • CP: R3 2022 roadmap
    • 3
    • Core: Platform

    Description

      Both the regular and refresh tokens should be returned as part of the login operation JSON response body and not as response headers.

      The security problems related to token leaks (FOLIO-2287 and FOLIO-2286) suggest that current design is prone to exploitation because the authentication headers are used both as request and response headers.

      This is a breaking login API change and requires client (stripes and mod-user-bl) changes.

      Additionally, as discussed in FOLIO-2556 and in the #core-platform channel – there is a potential use-case to return the token as a cookie (Set-Cookie header) to allow for transparent handling of tokens in stripes (it's a good practice to prevent JS to access JWT tokens). This should be verified with StripesForce team.

      Example:

      POST /login HTTP/1.1
Content-type: application/json
{
   "user":..
   "pass":..
   "tokenTransport": "body"
}
HTTP/1.1 200 OK
{
  "accessToken" : "1234",
}

      and for the “cookie” transported version:

      POST /login HTTP/1.1
Content-type: application/json
{
   "user":..
   "pass":..
  "tokenTransport" : "cookie",
}
HTTP/1.1 200 OK
Set-Cookie: tok=1245
{
  "tokenTransport" : "cookie",
}

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. FOLIO-2523 SPIKE: improve design of authn/z

            • P2 - normal priority level, must be included in the current development cycle
            • Blocked

            Task - A task that needs to be done. FOLIO-2556 SPIKE: investigate refresh tokens support in FOLIO

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODLOGIN-163 POST /authn/login response contains clear text password

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. STCOR-391 Fix invalid x-okapi-token header error

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. FOLIO-2287 Valid X-Okapi-Token (with permissions) returned on invalid login

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed

            Task - A task that needs to be done. FOLIO-2564 investigate HTTP Response Header injection

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            New Feature - New feature requests OKAPI-763 Prevent X-Okapi-Token being returned by a module

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                Unassigned Unassigned
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases