|
Summary: /authn/token?code=... returns an RT cookie with the path set to /; it should be /authn.
Deatils: After authenticating via keycloak, you are redirected back to the stripes UI and stripes makes a request to /authn/token?code=... to exchange keycloak's OTP for FOLIO's AT and RT cookies. This all works properly (yay, RTR coming soon!) but the path on the RT cookie is / instead of /authn as it is in legacy FOLIO (login to folio-snapshot and look at the cookies returned in the request to bl-users/login-with-expiry). This means the RT cookie is sent on every request. This isn't technically wrong (functionally, it's harmless) but it's bad from a security angle because the RT's only job is getting a new AT, so it should only be sent over the wire once, and only in a request to an endpoint to refresh the tokens.
|