Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

validate user deactivation when checking access token

Description

This is one of the proposed solutions to (the other being implementing support for refresh tokens in the UI/Stripes).

The idea is to validate user deactivation (and potentially other user properties, e.g expiration or removal) at the time the token is checked in mod-authtoken. This would be similar to how permissions are enforced.

The benefit of this approach is that it can be introduced transparently to the FOLIO UI and other clients (e.g edge modules).

The disadvantage is that it would impose additional performance penalty on the auth check operation – to limit this penalty we would need to cache the user record between auth checks.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

blocks

Users that are deleted or deactivated can stay logged in in folio until their token expires (=for a VERY long time)

relates to

Do NOT check user for dummy token

SSO Logout does not destroy SAML session

Logout from FOLIO, keep SSO login

Provide SLO (Single Log Out) endpoint to be called by SSO IdP

Implement refresh tokens

The folio-testing-backend builds fail, missing dependency mod-authtoken requires users

Checklist

hide

TestRail: Results

Activity

Show:

Hongwei JiNovember 26, 2019 at 3:33 PM

Added dependency to users, so bumped up the major fix version from 2 to 3.

Hongwei JiNovember 25, 2019 at 2:13 PM

For inactive user, it will display something like below once the internal user cache is expired (1 minute by default).

Done

Details
Assignee
Hongwei Ji
Reporter
Jakub Skoczen
Labels
platform-backlog
Priority
P2
Story Points
3
Sprint
None
Development Team
Core: Platform
Fix versions
2.4.0
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created November 18, 2019 at 1:08 PM

Updated April 2, 2021 at 1:48 PM

Resolved November 26, 2019 at 3:33 PM

TestRail: Cases

TestRail: Runs