[FOLIO-3032] HTTP intrastructure without X-Okapi headers Created: 07/Feb/21  Updated: 23/Feb/21

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: TBD
Reporter: Adam Dickmeiss Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Core: Platform

 Description   

The definitions (RAML, OpenAPI) are simplified, since they don't have to mention X-Okapi-Headers. It will be simpler for clients and servers in general.

The communication will end-up using only standard headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Okapi headers:

https://github.com/folio-org/okapi/blob/master/okapi-common/src/main/java/org/folio/okapi/common/XOkapiHeaders.java

X-Okapi-Token and X-Okapi-Tenant will be replaced with Authorization header.

User-Id, previously in X-Okapi-User-Id is also replaced with Authorization header.

X-Okapi-Url will be defined outside the scope of normal calls. It could be defined by Okapi (or other deployment infrastructure) with an environment variable.

The other Okapi headers are used in communication with the Auth module. That API (between Okapi and auth) can be changed to use request+response - without special headers.

This is not something that has to be done for all modules at once. This can be implemented by adding a field in a module descriptor that declares that the module is able to handle Authorization - and pass it on. Okapi can receive this call and call other module with whatever that is able to handle. In other words a mix is indeed possible.

The authorization must be base64-decoded by a module to determine the tenant. This is secure because the Authorization has been verified by mod-authtoken before it is passed on to a module.

In a system wihtout auth-token enabled – for unit testing and development - Okapi could in that case generate a fake token with the tenant and user embedded. This will make it a one time effort to dig out the tenant and user from Authorization and it will, as far as the module implementation is concerned, not be a dual effort.


Generated at Thu Feb 08 23:25:06 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.