Details
-
Type:
Task
-
Status: Closed (View Workflow)
-
Priority:
P2
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 3.0.0
-
Labels:
-
Template:customfield_11100 34939
-
Sprint:CP: sprint 87, CP: sprint 88, CP: sprint 89
-
Story Points:5
-
Development Team:Core: Platform
Description
Context
Embedding permission names within the JWT token can lead to X-Okapi-Token header that surpass maximum header size limit.
Proposed Approach
Remove permissions from the X-Okapi-Token JWT token and replace them with a pointer to an appropriate permission source:
- for user permissions: UUID of the user/permissions object – this is already implemented in MAT
- for module permissions: a "hidden" permission set in the form of "SYS#moduleId#pathPattern#methods" that is dereferenced during permission validation
Implementation
We define a Token Permission Key (TPK) as moduleId.method.pathPattern. TPK will be used as a “hidden” permissionSet and it would effectively replace a list of specific module permissions in the X-Okapi-Token.
Okapi will generate the TPK permission set during the call to mod-permission (_tenantPermissions system method).
We modify the X-Okapi-Module-Permissions include a map from the moduleId (no change) to a TPK (rather than a list of permissions).
TestRail: Results
Attachments
Issue Links
- blocks
-
FOLIO-2523 SPIKE: improve design of authn/z
-
- Blocked
-
- is blocked by
-
MODAT-72 Expand module permission set
-
- Closed
-
- relates to
-
OKAPI-838 SPIKE: consider a method to clean removed MD-provided permissions and permissionSet
-
- Open
-
-
MODPERMS-79 API /perms/permissions?expandSubs=true does not expand recursively
-
- Closed
-