[FOLIO-3032] HTTP intrastructure without X-Okapi headers Created: 07/Feb/21 Updated: 23/Feb/21 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | TBD |
| Reporter: | Adam Dickmeiss | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Core: Platform |
| Description |
|
The definitions (RAML, OpenAPI) are simplified, since they don't have to mention X-Okapi-Headers. It will be simpler for clients and servers in general. The communication will end-up using only standard headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers Okapi headers: X-Okapi-Token and X-Okapi-Tenant will be replaced with Authorization header. User-Id, previously in X-Okapi-User-Id is also replaced with Authorization header. X-Okapi-Url will be defined outside the scope of normal calls. It could be defined by Okapi (or other deployment infrastructure) with an environment variable. The other Okapi headers are used in communication with the Auth module. That API (between Okapi and auth) can be changed to use request+response - without special headers. This is not something that has to be done for all modules at once. This can be implemented by adding a field in a module descriptor that declares that the module is able to handle Authorization - and pass it on. Okapi can receive this call and call other module with whatever that is able to handle. In other words a mix is indeed possible. The authorization must be base64-decoded by a module to determine the tenant. This is secure because the Authorization has been verified by mod-authtoken before it is passed on to a module. In a system wihtout auth-token enabled – for unit testing and development - Okapi could in that case generate a fake token with the tenant and user embedded. This will make it a one time effort to dig out the tenant and user from Authorization and it will, as far as the module implementation is concerned, not be a dual effort. |