Embedding permission names within the JWT token can lead to X-Okapi-Token header that surpass maximum header size limit.
Remove permissions from the X-Okapi-Token JWT token and replace them with a pointer to an appropriate permission source:
- for user permissions: UUID of the user/permissions object – this is already implemented in MAT
- for module permissions: a "hidden" permission set in the form of "SYS#moduleId#pathPattern#methods" that is dereferenced during permission validation
We define a Token Permission Key (TPK) as moduleId.method.pathPattern. TPK will be used as a “hidden” permissionSet and it would effectively replace a list of specific module permissions in the X-Okapi-Token.
Okapi will generate the TPK permission set during the call to mod-permission (_tenantPermissions system method).
We modify the X-Okapi-Module-Permissions include a map from the moduleId (no change) to a TPK (rather than a list of permissions).