Poppy 2023 R2 - Implement refresh token rotation (RTR) in all affected modules (FOLIO-3627)

[FOLIO-2556] SPIKE: investigate refresh tokens support in FOLIO Created: 06/Apr/20  Updated: 03/Nov/22  Resolved: 06/Dec/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None
Parent: Poppy 2023 R2 - Implement refresh token rotation (RTR) in all affected modules

Type: Task Priority: P3
Reporter: Jakub Skoczen Assignee: Steve Ellis
Resolution: Done Votes: 0
Labels: R3, platform-backlog, refresh-tokens, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-2524 Security Audit raised issues Open
blocks MODAT-64 Enforce access token expiration Closed
blocks STCON-101 SPIKE: use and rotate refresh tokens Closed
Relates
relates to SIP2-71 Spike: Determine and implement strate... Open
relates to MODAT-66 Gracefully handle access token expira... Open
relates to MODLOGSAML-57 Furnish a refresh token upon login Open
relates to MODAT-64 Enforce access token expiration Closed
relates to MODAT-67 One-time use refresh tokens Closed
relates to MODAT-69 Refactor/combine /token and /refresht... Closed
relates to STCON-101 SPIKE: use and rotate refresh tokens Closed
relates to FOLIO-1233 Implement refresh tokens Closed
relates to MODAT-68 Use JWT for refresh tokens Closed
relates to EDGCOMMON-22 Implement Silent Refresh Draft
relates to MODAT-65 Configurable access/refresh token exp... Closed
relates to MODLOGIN-119 change login API to return tokens in ... Closed
relates to STCOR-484 implement client-side handling of ref... Closed
relates to MODAT-60 Token invalid across cluster Closed
relates to FOLIO-2523 SPIKE: improve design of authn/z Blocked
Sprint: CP: sprint 87, CP: sprint 127, CP: sprint 128, CP: sprint 126, CP: sprint 86
Story Points: 3
Development Team: Core: Platform
Epic Link: Poppy 2023 R2 - Implement refresh token rotation (RTR) in all affected modules

 Description   

Relates to FOLIO-1233 Closed – this ticket needs to be updated with an implementation plan.

See https://folio-org.atlassian.net/wiki/display/DD/Refresh+Tokens

See https://docs.google.com/document/d/1K_QdgnOo2wOSfY-rQ8phOD6nCO_3jvdAnEG0BEqtnjU/edit# "FOLIO Authentication Token Architecture Improvements"

Much of the outstanding work is fairly straight forward. However, in reading through the comments in FOLIO-1233 Closed , and based on conversations I've had with frontend developers, it seems the two biggest unknowns are:

  • How do we handle access token expiration in the context of module-to-module communication
    • Always check token expiry during authorization
    • Tokens w/o a valid expiration will be rejected
    • Tokens generated for module-to-module purposes have a new expiration - this should be long enough that request timeouts will likely happen before tokens expire, but will mitigate the impact of a sniffed/stolen token.
  • How do we incorporate refresh tokens into the UI.
    • Discussed with Zak Burke - Will create a story (Spike) against stripes-connect and elicit feedback from the stripes community


 Comments   
Comment by Oleksii Popov [ 05/May/20 ]

We need a solution decision.

Comment by Hanna Hulevich [ 29/Mar/21 ]

Jakub Skoczen do we need to do investigation for R2 or implementation is also requred?

Comment by Dilshod_Khusanov [ 06/Dec/21 ]

Completed.

Generated at Thu Feb 08 23:21:31 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.