<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:12:34 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-1332] SPIKE: Design/Discuss Overrides</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-1332</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;We held a meeting yesterday and have come to the following:&lt;/p&gt;

&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;We are introducing the concept of an &quot;Override Token&quot; (term might change), which would be a secondary token that would be sent along with the standard access token in a different header for the request. This token would be an opaque, signed token that would carry in its payload a list of extra permissions that would be granted to the user. It would carry an expiration time, so as to become invalid after a short period.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;When mod-authtoken receives this Override Token, it will decrypt it and add the contained permissions to the user&apos;s permissions for the current request. It will also add these permissions to the tokens generated for any modules along the current request chain, so that the modules will be able to take advantage of the override for the request.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;The process of minting a new Override Token will be done via a new endpoint on mod-login, perhaps /authn/override. The supervisor user will provide, to the endpoint, their credentials, along with the userid being granted the token, a list of the supervisor&apos;s permissions that will be granted by the token, and the time-to-live of the token. The response from the endpoint will be the override token.  The advantage to this scheme is that the supervisor never exposes their access token to the user&apos;s browser, which helps close a potential security hole.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;The following components would need to be changed to make this work:
	&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
		&lt;li&gt;mod-authtoken: Would need to be able to recognize and decrypt the new tokens, and to incorporate the contents into the request chain.&lt;/li&gt;
		&lt;li&gt;mod-login: Would need new endpoint to permit minting of the Override Token&lt;/li&gt;
		&lt;li&gt;okapi: Would need to recognize the new header (X-Okapi-Override?) and pass along accordingly&lt;/li&gt;
		&lt;li&gt;stripes: Would need changes to be able to provide login for supervisor to create override token, and would need to be able to attach the new token to the overridden request in the new header.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="80684">FOLIO-1332</key>
            <summary>SPIKE: Design/Discuss Overrides</summary>
                <type id="10006" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10307?size=medium">Umbrella</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5c38e8d616ac1e4f7cbc660a">Kurt Nordstrom</assignee>
                                                                <reporter accountid="5af5ed55244bc90a106063c7">Cate Boerema</reporter>
                                    <labels>
                            <label>RFC</label>
                            <label>core</label>
                            <label>sprint42</label>
                            <label>sprint43</label>
                            <label>sprint44</label>
                            <label>sprint45</label>
                            <label>sprint46</label>
                            <label>sprint47</label>
                            <label>sprint48</label>
                            <label>ui-core</label>
                    </labels>
                <created>Mon, 9 Jul 2018 13:59:28 +0000</created>
                <updated>Wed, 3 Jul 2019 20:11:28 +0000</updated>
                            <resolved>Thu, 4 Oct 2018 11:27:53 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>6</watches>
                                                                <comments>
                                                            <comment id="194085" author="5af5ed55244bc90a106063c7" created="Mon, 16 Jul 2018 10:14:16 +0000"  >&lt;p&gt;Per &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;, I am assigning this to &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="194112" author="5af5ed55244bc90a106063c7" created="Fri, 20 Jul 2018 11:22:44 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt;, do you have an update on this?  Did you determine if this should stay assigned to you for analysis or if it&apos;s a frontend-only thing?&lt;/p&gt;</comment>
                                                            <comment id="194115" author="5c38e8d616ac1e4f7cbc660a" created="Fri, 20 Jul 2018 14:19:58 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5ed55244bc90a106063c7&quot; class=&quot;user-hover&quot; rel=&quot;5af5ed55244bc90a106063c7&quot; data-account-id=&quot;5af5ed55244bc90a106063c7&quot; accountid=&quot;5af5ed55244bc90a106063c7&quot; rel=&quot;noreferrer&quot;&gt;Cate Boerema&lt;/a&gt; Here are my thoughts on the matter:&lt;/p&gt;

&lt;p&gt;Yes, we currently could implement an override functionality directly in the front end. However, this is slightly problematic, as it will mean that an access token for the superuser will be exposed in the user&apos;s browser, and a mischievous user could use their browser&apos;s dev tools to extract it, and then re-use the token for gaining access to endpoints.&lt;/p&gt;

&lt;p&gt;This raises the topic of token expiration and refresh tokens, which is something that we have discussed in the past, but haven&apos;t formally implemented yet. What this feature would allow us to do would be to have the superuser token be created with a short time-to-live, so that the window of opportunity for mischief was very small. It would also improve security overall by reducing the usefulness of token leakage.&lt;/p&gt;

&lt;p&gt;See &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-1233&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/FOLIO-1233&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;My recommendation would be to raise the priority of implementing refresh tokens and token expiration and make it a blocker for this story. &lt;/p&gt;</comment>
                                                            <comment id="194117" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Tue, 24 Jul 2018 12:37:25 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt; Expiration/TTL makes sense to me. I am not clear we need the full capability of &quot;refresh tokens&quot; for this?&lt;/p&gt;</comment>
                                                            <comment id="194119" author="5c38e8d616ac1e4f7cbc660a" created="Wed, 25 Jul 2018 22:09:31 +0000"  >&lt;p&gt;Okay, here is how I currently see things:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;One thing we absolutely do not want is a long-lived token for a superuser sitting in the user&apos;s browser data after the override has occurred.&lt;/li&gt;
	&lt;li&gt;Honestly, we don&apos;t want ANY long-lived tokens hanging out in the user&apos;s browser data, but that can be a different problem for a different day.&lt;/li&gt;
	&lt;li&gt;If we want to implement an override system without making things significantly less secure than they currently are, one option would simply be to add a flag to the login endpoint which would specify that we want a token that will die soon. This token will live long enough to execute the superuser&apos;s commands and then expire.&lt;/li&gt;
	&lt;li&gt;Yes, there is still the fact that this is a &apos;voluntary&apos; request for a short TTL token from the front-end, but the truth is that with the current set up, any kind of token request is &apos;voluntary&apos;. Any user spoofed into putting their username/password into the wrong form can potentially return a long-lived token that can be leaked. The only real way to provide security here is to make ALL access tokens short lived and implement a refresh token system that is more secure.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                                                            <comment id="194122" author="5af5ed55244bc90a106063c7" created="Fri, 27 Jul 2018 15:02:41 +0000"  >&lt;p&gt;Thanks &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt;.  Are we almost ready to get started on development?  &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3Ae530422d-154a-4c37-b957-18a88051448e&quot; class=&quot;user-hover&quot; rel=&quot;712020:e530422d-154a-4c37-b957-18a88051448e&quot; data-account-id=&quot;712020:e530422d-154a-4c37-b957-18a88051448e&quot; accountid=&quot;712020:e530422d-154a-4c37-b957-18a88051448e&quot; rel=&quot;noreferrer&quot;&gt;Emma Boettcher&lt;/a&gt; has created some stories we can work from, in case the Fee/fine-related stories are still blocked (&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; asked that she create these): 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;UIU-582&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIU-582&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Permissions for change due date&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIU-582
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 and 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;UIU-583&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIU-583&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Change due date by escalating permissions (override user&amp;#39;s permissions)&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIU-583
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Open&lt;/span&gt;
            &lt;/span&gt;
.  I&apos;ll link them here.&lt;/p&gt;</comment>
                                                            <comment id="194124" author="5c38e8d616ac1e4f7cbc660a" created="Fri, 27 Jul 2018 15:47:55 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5ed55244bc90a106063c7&quot; class=&quot;user-hover&quot; rel=&quot;5af5ed55244bc90a106063c7&quot; data-account-id=&quot;5af5ed55244bc90a106063c7&quot; accountid=&quot;5af5ed55244bc90a106063c7&quot; rel=&quot;noreferrer&quot;&gt;Cate Boerema&lt;/a&gt; If we want to proceed with the short-term solution, all we&apos;d need for the backend would be an optional flag to the login module to tell it to request a short-lived token as opposed to a long-lived one.&lt;/p&gt;</comment>
                                                            <comment id="194126" author="5af5ed55244bc90a106063c7" created="Mon, 30 Jul 2018 14:44:49 +0000"  >&lt;p&gt;Excellent!  We had a chat about this in today&apos;s roundup and I think everyone understands what needs to be done, as Emma talked us through her stories (
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;UIU-582&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIU-582&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Permissions for change due date&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIU-582
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 and 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;UIU-583&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIU-583&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Change due date by escalating permissions (override user&amp;#39;s permissions)&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIU-583
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Open&lt;/span&gt;
            &lt;/span&gt;
).  If you are looking for your next story, you might pick those up and get the backend changes ready.  &lt;/p&gt;

&lt;p&gt;I guess we can close this spike if the solution is designed and documented (at least at a high level) in this ticket (I think that&apos;s what you have done in the comments above).  Please close this ticket if you agree.&lt;/p&gt;</comment>
                                                            <comment id="194129" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Mon, 20 Aug 2018 13:13:00 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt; let&apos;s decided how would we utilize the refresh token functionality to provide this.&lt;/p&gt;</comment>
                                                            <comment id="194131" author="5af5ed55244bc90a106063c7" created="Mon, 3 Sep 2018 13:48:11 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;, can we call this done already?  It&apos;s sprint review time and, while we won&apos;t have anything to show for this (I assume), it is a significant piece of design work we did and I&apos;d like it to display in the list of completed work.  Please mark as Closed &amp;gt; Done if you think this is complete.  Thanks!&lt;/p&gt;</comment>
                                                            <comment id="194134" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Wed, 5 Sep 2018 08:29:52 +0000"  >&lt;p&gt;In my humble opinion, messing about tokens is a wrong approach. It is tricky to get right, and may lead to security problems.&lt;/p&gt;

&lt;p&gt;I think a safer, saner, and simpler solution would be to let everyone keep using their own tokens, but add a facility in mod-permissions, where a supervisor has the ability to grant some of his own permissions to a given user, for a limited time.  UI-wise, this could be done in a new tab or popup on the users screen, where the superuser logs in, makes the permission-giving call, and closes the tab. Or it could be a function the supervisor can invoke on his own screen.  In any case, the supervisor could select the (top-level) permissions to grant, and the time they should be available.&lt;/p&gt;

&lt;p&gt;In mod-permissions, we would need to add a timeout field to the permission structure, and when checking permissions, see if the user has some that have timed out, and delete them. There may be some issues with caching the permissions, but I am sure we can find a way around those. &lt;/p&gt;

&lt;p&gt;It could even be possible to restrict the temporary permission to a single request, by noting the first time it is being used, attaching the request-id to that, and later verifying the request-id. But this could get tricky when expanding permissions, etc. Probably not needed for the first version(s).&lt;/p&gt;

&lt;p&gt;Of course the supervisor would have to have a permission to delegate his permissions to another user. This could be a general one, or restricted to some top-level permissions.&lt;/p&gt;</comment>
                                                            <comment id="194136" author="5c38e8d616ac1e4f7cbc660a" created="Wed, 5 Sep 2018 14:27:59 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; class=&quot;user-hover&quot; rel=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; data-account-id=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; accountid=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; rel=&quot;noreferrer&quot;&gt;Heikki Levanto&lt;/a&gt; It would seem tricky, with the &apos;temporary permissions&apos; approach, to attach the needed permissions upgrade to a particular request, though. In essence the supervisor is boosting the user&apos;s privileges (albeit temporarily), but not restricting what the user might do with them.  Even if we attach a request id, it seems like it would be tricky to peg that to one particular request that the override is granting the ability to do.&lt;/p&gt;</comment>
                                                            <comment id="194138" author="5cf6c265e7d2310e9fc0c5ac" created="Fri, 7 Sep 2018 18:27:14 +0000"  >&lt;p&gt;I&apos;m liking Heikki&apos;s &quot;temporary permissions&quot; approach, but I do have concerns about privilege escalation be it through a superuser context or a supervisor impersonation. &lt;/p&gt;

&lt;p&gt;Have we considered supporting the notion of allowing multiple tokens for a user?&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;User hits the override block&lt;/li&gt;
	&lt;li&gt;Supervisor acts on the override
	&lt;ul&gt;
		&lt;li&gt;Presumably the Supervisor has been issued a required permission in order to issue the override&lt;/li&gt;
		&lt;li&gt;Only the specific permission needed for the action is granted.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;The result is that the user is issued a &lt;b&gt;second&lt;/b&gt; token that carries only the required permission and is short-lived.
	&lt;ul&gt;
		&lt;li&gt;Override request could optionally allow setting the TTL.&lt;/li&gt;
		&lt;li&gt;the temporary permission is not permanently attached to the user&lt;/li&gt;
		&lt;li&gt;temporary token is essentially a bearer token&lt;/li&gt;
		&lt;li&gt;original user token remains untouched.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;The second token is submitted along with the user&apos;s normal token on the request
	&lt;ul&gt;
		&lt;li&gt;The normal token is rejected as before&lt;/li&gt;
		&lt;li&gt;The second (bearer) token is accepted and the action is allowed.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Bearer token lifecycle&lt;/li&gt;
	&lt;li&gt;The bearer token would need to be actively removed from the user&apos;s state once it expires.&lt;/li&gt;
	&lt;li&gt;The bearer token could even be &quot;single use&quot; and invalidated the first time it is accepted in order to prevent reuse in a different context.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                                                            <comment id="194141" author="5af5ed55244bc90a106063c7" created="Wed, 19 Sep 2018 08:48:24 +0000"  >&lt;p&gt;Guys, this spike has been open for almost an entire quarter.  Can we document a decision by the end of this week (September 21)?&lt;/p&gt;</comment>
                                                            <comment id="194144" author="5c38e8d616ac1e4f7cbc660a" created="Wed, 19 Sep 2018 10:20:59 +0000"  >&lt;p&gt;We held a meeting yesterday and have come to the following:&lt;/p&gt;

&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;We are introducing the concept of an &quot;Override Token&quot; (term might change), which would be a secondary token that would be sent along with the standard access token in a different header for the request. This token would be an opaque, signed token that would carry in its payload a list of extra permissions that would be granted to the user. It would carry an expiration time, so as to become invalid after a short period.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;When mod-authtoken receives this Override Token, it will decrypt it and add the contained permissions to the user&apos;s permissions for the current request. It will also add these permissions to the tokens generated for any modules along the current request chain, so that the modules will be able to take advantage of the override for the request.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;The process of minting a new Override Token will be done via a new endpoint on mod-login, perhaps /authn/override. The supervisor user will provide, to the endpoint, their credentials, along with the userid being granted the token, a list of the supervisor&apos;s permissions that will be granted by the token, and the time-to-live of the token. The response from the endpoint will be the override token.  The advantage to this scheme is that the supervisor never exposes their access token to the user&apos;s browser, which helps close a potential security hole.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;The following components would need to be changed to make this work:
	&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
		&lt;li&gt;mod-authtoken: Would need to be able to recognize and decrypt the new tokens, and to incorporate the contents into the request chain.&lt;/li&gt;
		&lt;li&gt;mod-login: Would need new endpoint to permit minting of the Override Token&lt;/li&gt;
		&lt;li&gt;okapi: Would need to recognize the new header (X-Okapi-Override?) and pass along accordingly&lt;/li&gt;
		&lt;li&gt;stripes: Would need changes to be able to provide login for supervisor to create override token, and would need to be able to attach the new token to the overridden request in the new header.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;
</comment>
                                                            <comment id="194147" author="5bffed52a1b46046f530c8f7" created="Wed, 19 Sep 2018 10:52:52 +0000"  >&lt;p&gt;That seems like a much more complicated scheme than the original.&lt;/p&gt;

&lt;p&gt;How is the client (Stripes or a module) able to know which specific temporary permissions to request?&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;The advantage to this scheme is that the supervisor never exposes their access token to the user&apos;s browser, which helps close a potential security hole.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;But the supervisor exposes their credentials to the user&apos;s browser, which seems like a much &lt;em&gt;worse&lt;/em&gt; security hole (since in general credentials last much longer than tokens generated from them).&lt;/p&gt;</comment>
                                                            <comment id="194149" author="63e2a2771b13d42998e4e706" created="Wed, 19 Sep 2018 11:01:30 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5bffed52a1b46046f530c8f7&quot; class=&quot;user-hover&quot; rel=&quot;5bffed52a1b46046f530c8f7&quot; data-account-id=&quot;5bffed52a1b46046f530c8f7&quot; accountid=&quot;5bffed52a1b46046f530c8f7&quot; rel=&quot;noreferrer&quot;&gt;Mike Taylor&lt;/a&gt; Good question about the awareness (and coupling) around the specific permissions.&lt;/p&gt;

&lt;p&gt;Could it initially be all of the permissions of the supervisor (which admittedly is another potential security challenge)?&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;the supervisor exposes their credentials to the user&apos;s browser&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;As I understand it, we don&apos;t have an approach where the supervisor&apos;s credentials aren&apos;t exposed to the original user&apos;s browser. At least not where the user experience is where the supervisor performs their login in the original user&apos;s browser, which is what I believe is described in scenario 2 of 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;UIU-445&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIU-445&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Allow for the cancellation of a fee/fine with supervisor override when current user does not have the needed permission&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIU-445
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Draft&lt;/span&gt;
            &lt;/span&gt;
. Is there an alternative I&apos;m not aware of, which does not involve this exposure? Or are you stating that there is a security risk of credentials capture, which is significantly higher than token capture?&lt;/p&gt;</comment>
                                                            <comment id="194151" author="5bffed52a1b46046f530c8f7" created="Wed, 19 Sep 2018 11:16:49 +0000"  >&lt;blockquote&gt;&lt;p&gt;Could it initially be all of the permissions of the supervisor (which admittedly is another potential security challenge)?&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;It could &amp;#8211; but only at the expense of sacrificing all the flexibility that (presumably) this more complex approach is intended to get us. If that&apos;s all we wanted to do, then the simpler `sudo`-like approach would seem the better way to do it.&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;As I understand it, we don&apos;t have an approach where the supervisor&apos;s credentials aren&apos;t exposed to the original user&apos;s browser.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;I agree. All I&apos;m saying is that, given that this seems to be a hard requirement, it seems a bit pointless to worry that the supervisor&apos;s much shorter-lived session token is &lt;em&gt;also&lt;/em&gt; available to the user&apos;s browser.&lt;/p&gt;
</comment>
                                                            <comment id="194154" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Wed, 19 Sep 2018 11:33:50 +0000"  >&lt;p&gt;We discussed this briefly in yesterdays call. Although the use case here is that the supervisor will walk over to the assistants browser and type in credentials, this design leaves open the possibility that in some future version the supervisor may do this on his own browser, get some opaque token, and pass it to the assistant via a Folio notification, email, or other channel.&lt;/p&gt;

&lt;p&gt;As to the permissions, yes, we can start with all permissions, but most likely the UI module that handles the situation will have a good idea of what is needed here - the operation to forgive a fine clearly needs some fine-related permissions, and not purchase-order permissions...&lt;/p&gt;</comment>
                                                            <comment id="194157" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Wed, 19 Sep 2018 11:37:08 +0000"  >&lt;p&gt;I just came to think that the override endpoint should be in a separate interface than the regular login service. We already have alternative login methods, and maybe not all of them are suitable for authenticating a supervisor that happens to walk by the browser, without his session cookies from some other system present... Keeping the service in a separate interface will make it possible for the module to declare that it does not support the override service, and for some other module to step in and do it.&lt;/p&gt;</comment>
                                                            <comment id="194159" author="63e2a2771b13d42998e4e706" created="Wed, 19 Sep 2018 12:05:33 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5bffed52a1b46046f530c8f7&quot; class=&quot;user-hover&quot; rel=&quot;5bffed52a1b46046f530c8f7&quot; data-account-id=&quot;5bffed52a1b46046f530c8f7&quot; accountid=&quot;5bffed52a1b46046f530c8f7&quot; rel=&quot;noreferrer&quot;&gt;Mike Taylor&lt;/a&gt; Agreed, thanks for clarifying my understanding of your thoughts.&lt;/p&gt;</comment>
                                                            <comment id="194162" author="63e2a2771b13d42998e4e706" created="Wed, 19 Sep 2018 12:07:01 +0000"  >&lt;p&gt;The topic of which permissions apply to a given operation may well overlap a little with 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;UXPROD-1828&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UXPROD-1828&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;action-based permissions&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium&quot; /&gt;
            UXPROD-1828
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
&lt;/p&gt;</comment>
                                                            <comment id="194164" author="63e2a2771b13d42998e4e706" created="Wed, 19 Sep 2018 12:08:51 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; class=&quot;user-hover&quot; rel=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; data-account-id=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; accountid=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; rel=&quot;noreferrer&quot;&gt;Heikki Levanto&lt;/a&gt; I think a separate interface is worth exploring (we may need to figure out endpoints, as RAML Module Builder does not support overlapping paths in interface definitions AFAIK). &lt;/p&gt;

&lt;p&gt;There is a note in 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;UIU-445&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIU-445&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Allow for the cancellation of a fee/fine with supervisor override when current user does not have the needed permission&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIU-445
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Draft&lt;/span&gt;
            &lt;/span&gt;
 that states this should work with SSO logins as well as internal, so it would likely need implementing by both.&lt;/p&gt;</comment>
                                                            <comment id="194167" author="5c38e8d616ac1e4f7cbc660a" created="Wed, 19 Sep 2018 12:39:24 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; class=&quot;user-hover&quot; rel=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; data-account-id=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; accountid=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; rel=&quot;noreferrer&quot;&gt;Heikki Levanto&lt;/a&gt; I like the idea of being able to perform an override via multiple authentication services. Need to think through how to implement that in a way that leaves the door open for future expandability.&lt;/p&gt;</comment>
                                                            <comment id="194170" author="5bffed52a1b46046f530c8f7" created="Wed, 19 Sep 2018 13:52:40 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; class=&quot;user-hover&quot; rel=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; data-account-id=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; accountid=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; rel=&quot;noreferrer&quot;&gt;Heikki Levanto&lt;/a&gt; Your point about separating interfaces is well taken.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="42287">UIU-445</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="74109">MODAT-34</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="35258">MODLOGIN-74</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="42113">UIU-583</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="10294">UXPROD-239</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="10992">UXPROD-1609</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="11116">UXPROD-1847</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="80659">FOLIO-1233</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54008">OKAPI-656</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="74508">STCON-74</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="44708">UIU-582</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="13102">UXPROD-1245</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10171"><![CDATA[Prokopovych]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzypb3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 20 Jul 2018 14:19:58 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>