|
Relates to
FOLIO-1233
Closed
– this ticket needs to be updated with an implementation plan.
See https://folio-org.atlassian.net/wiki/display/DD/Refresh+Tokens
See https://docs.google.com/document/d/1K_QdgnOo2wOSfY-rQ8phOD6nCO_3jvdAnEG0BEqtnjU/edit# "FOLIO Authentication Token Architecture Improvements"
Much of the outstanding work is fairly straight forward. However, in reading through the comments in
FOLIO-1233
Closed
, and based on conversations I've had with frontend developers, it seems the two biggest unknowns are:
- How do we handle access token expiration in the context of module-to-module communication
- Always check token expiry during authorization
- Tokens w/o a valid expiration will be rejected
- Tokens generated for module-to-module purposes have a new expiration - this should be long enough that request timeouts will likely happen before tokens expire, but will mitigate the impact of a sniffed/stolen token.
- How do we incorporate refresh tokens into the UI.
- Discussed with Zak Burke - Will create a story (Spike) against stripes-connect and elicit feedback from the stripes community
|