<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:31 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3627] Poppy 2023 R2 - Implement refresh token rotation (RTR) in all affected modules</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3627</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;The core platform has been modified to support two security enhancements:&lt;br/&gt;
1. Token expiration&lt;br/&gt;
2. Token revocation&lt;/p&gt;

&lt;p&gt;All modules that rely on the current login interface of mod-login need to replace use of the authn/login endpoint use the new authn/login-with-expiry endpoint.&lt;/p&gt;

&lt;p&gt;This new endpoint will return a token pair consisting of a refresh token (RT) and an access token (AT) in the form of Set-Cookie headers. Both the AT and RT have a TTL, and the RT may be used to request a new AT/RT pair prior to expiration.&lt;/p&gt;

&lt;p&gt;Converting to the new API is non-optional. The old login endpoint and the new login endpoint will not exist together in any FOLIO release, although both endpoints may be available in snapshot to ease the pain of switching over.&lt;/p&gt;

&lt;p&gt;See the following page for details including: &lt;a href=&quot;https://folio-org.atlassian.net/wiki/pages/viewpage.action?pageId=1396980&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/pages/viewpage.action?pageId=1396980&lt;/a&gt;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;How RTR works&lt;/li&gt;
	&lt;li&gt;How RTR will change FOLIO authentication and authorization&lt;/li&gt;
	&lt;li&gt;Guide for implementing RTR for clients&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="80032">FOLIO-3627</key>
            <summary>Poppy 2023 R2 - Implement refresh token rotation (RTR) in all affected modules</summary>
                <type id="10000" iconUrl="https://folio-org.atlassian.net/images/icons/issuetypes/epic.svg">Epic</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="3" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/inprogress.png" description="This issue is being actively worked on at the moment by the assignee.">In Progress</status>
                    <statusCategory id="4" key="indeterminate" colorName="yellow"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="62e181430b4bf7ad924b3732">Steve Ellis</reporter>
                                    <labels>
                            <label>NFR</label>
                            <label>refresh-tokens</label>
                    </labels>
                <created>Thu, 3 Nov 2022 19:54:49 +0000</created>
                <updated>Thu, 8 Feb 2024 15:36:00 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>14</watches>
                                                                <comments>
                                                            <comment id="190913" author="62e181430b4bf7ad924b3732" created="Mon, 21 Nov 2022 16:05:43 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt;&#160; has implemented a shared library and sample usage for vertx-based modules here: &lt;a href=&quot;https://github.com/adamdickmeiss/folio-vertx-login&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/adamdickmeiss/folio-vertx-login&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="190918" author="5c48911b54e1e6466b11f38c" created="Fri, 16 Dec 2022 21:03:05 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=62e181430b4bf7ad924b3732&quot; class=&quot;user-hover&quot; rel=&quot;62e181430b4bf7ad924b3732&quot; data-account-id=&quot;62e181430b4bf7ad924b3732&quot; accountid=&quot;62e181430b4bf7ad924b3732&quot; rel=&quot;noreferrer&quot;&gt;Steve Ellis&lt;/a&gt; as the work on this progresses, can a developer help with creating some wiki on how subject-matter staff would use this approach in Postman? Many of us (myself included) are doing a lot of API work with Postman because our scripting skills are not advanced, and so this will be a change that people will have to be able to understand.&lt;/p&gt;</comment>
                                                            <comment id="190923" author="62e181430b4bf7ad924b3732" created="Wed, 21 Dec 2022 17:57:56 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c48911b54e1e6466b11f38c&quot; class=&quot;user-hover&quot; rel=&quot;5c48911b54e1e6466b11f38c&quot; data-account-id=&quot;5c48911b54e1e6466b11f38c&quot; accountid=&quot;5c48911b54e1e6466b11f38c&quot; rel=&quot;noreferrer&quot;&gt;Erin Nettifee&lt;/a&gt; Thanks for your question and sorry for the delay in replying. Your point is well taken. We need to create a wiki page for people who are used to the way the current tokens work.&lt;/p&gt;

&lt;p&gt;Using the new tokens won&apos;t be as convenient as the old ones, but getting a new token when the one you have expires is as simple as posting a new login request to &lt;tt&gt;authn/login-with-expiry&lt;/tt&gt; with your credentials and reading the Set-Cookie header which will contain the new access token. Then you can use that token in your subsequent postman requests until it expires.&lt;/p&gt;</comment>
                                                            <comment id="190931" author="5c48911b54e1e6466b11f38c" created="Wed, 21 Dec 2022 18:15:29 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=62e181430b4bf7ad924b3732&quot; class=&quot;user-hover&quot; rel=&quot;62e181430b4bf7ad924b3732&quot; data-account-id=&quot;62e181430b4bf7ad924b3732&quot; accountid=&quot;62e181430b4bf7ad924b3732&quot; rel=&quot;noreferrer&quot;&gt;Steve Ellis&lt;/a&gt; it&apos;s OK, I appreciate your response. I think also it would help to know how that could potentially work with an SSO environment, if that could be understood. I know at Duke, all of our FOLIO environments are using our Shibboleth for login, so my netid password is not my FOLIO password.&lt;/p&gt;

&lt;p&gt;I did a little poking around when I saw this jira, and it looks like Postman has a cookie manager feature - &lt;a href=&quot;https://learning.postman.com/docs/sending-requests/cookies/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://learning.postman.com/docs/sending-requests/cookies/&lt;/a&gt; - but I haven&apos;t experimented with it.&lt;/p&gt;</comment>
                                                            <comment id="190942" author="615afd1cd9820f0070a09ef0" created="Thu, 12 Jan 2023 13:24:46 +0000"  >&lt;p&gt;For UI applications, &lt;a href=&quot;https://github.com/folio-org/ui-invoice/pull/657&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/ui-invoice/pull/657&lt;/a&gt; demonstrates an especially nice backwards-compatible implementation that others should consider copying. Nice work, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A954aac8a-bfab-442c-92fe-93bc90a8b8e1&quot; class=&quot;user-hover&quot; rel=&quot;712020:954aac8a-bfab-442c-92fe-93bc90a8b8e1&quot; data-account-id=&quot;712020:954aac8a-bfab-442c-92fe-93bc90a8b8e1&quot; accountid=&quot;712020:954aac8a-bfab-442c-92fe-93bc90a8b8e1&quot; rel=&quot;noreferrer&quot;&gt;Yury Saukou&lt;/a&gt;!&lt;/p&gt;</comment>
                                                            <comment id="190944" author="5c48e229cc3a1d3d8a2bbf75" created="Thu, 16 Feb 2023 20:27:13 +0000"  >&lt;p&gt;I&apos;m concerned about some Google Colabs I have set up to query API&apos;s. For example, I have a script set up to loop through a list of barcodes and queries each for it&apos;s circulation checkouts and if it&apos;s a long list, my RT is likely to expire and my script will fail in the middle.&#160; I don&apos;t yet have the coding skills myself to get around this.&#160; &#160;Advice on these types of issues for the novice API users would be great.&#160;&#160;&lt;/p&gt;</comment>
                                                            <comment id="190950" author="5ee89462f7aa140abd82d11d" created="Tue, 9 May 2023 14:32:32 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c48e229cc3a1d3d8a2bbf75&quot; class=&quot;user-hover&quot; rel=&quot;5c48e229cc3a1d3d8a2bbf75&quot; data-account-id=&quot;5c48e229cc3a1d3d8a2bbf75&quot; accountid=&quot;5c48e229cc3a1d3d8a2bbf75&quot; rel=&quot;noreferrer&quot;&gt;Kara Hart&lt;/a&gt; : As soon as API tokens are available you should switch to them because they don&apos;t expire: 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;MODAT-111&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODAT-111&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Implement new API token management API&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            MODAT-111
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Open&lt;/span&gt;
            &lt;/span&gt;
&lt;/p&gt;

&lt;p&gt;Until then you need to look at the access token expiration.&lt;/p&gt;

&lt;p&gt;Note: In scripts there is no need to make use of the refresh token. You can simply login in again with username and password.&lt;/p&gt;

&lt;p&gt;After processing one barcode you might look at the access token expiration and if it is less than your maximum processing time (eg. 60 seconds) simply get a new access token.&lt;/p&gt;

&lt;p&gt;Or you simply process the list of barcodes in batches (eg. 1000 barcodes) and after each batch you fetch a new access token.&lt;/p&gt;</comment>
                                                            <comment id="190958" author="62a96ae7192edb006f9f1bf9" created="Wed, 28 Jun 2023 13:17:38 +0000"  >&lt;p&gt;Hey &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=62e181430b4bf7ad924b3732&quot; class=&quot;user-hover&quot; rel=&quot;62e181430b4bf7ad924b3732&quot; data-account-id=&quot;62e181430b4bf7ad924b3732&quot; accountid=&quot;62e181430b4bf7ad924b3732&quot; rel=&quot;noreferrer&quot;&gt;Steve Ellis&lt;/a&gt; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=615afd1cd9820f0070a09ef0&quot; class=&quot;user-hover&quot; rel=&quot;615afd1cd9820f0070a09ef0&quot; data-account-id=&quot;615afd1cd9820f0070a09ef0&quot; accountid=&quot;615afd1cd9820f0070a09ef0&quot; rel=&quot;noreferrer&quot;&gt;Zak Burke&lt;/a&gt;, does the epic impact consortia development? &lt;br/&gt;
cc: &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A2f7b6349-450b-419a-ba54-c181f51383ad&quot; class=&quot;user-hover&quot; rel=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; data-account-id=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; accountid=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; rel=&quot;noreferrer&quot;&gt;Dennis Bridges&lt;/a&gt; &lt;/p&gt;</comment>
                                                            <comment id="190963" author="62e181430b4bf7ad924b3732" created="Wed, 28 Jun 2023 14:56:30 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=62a96ae7192edb006f9f1bf9&quot; class=&quot;user-hover&quot; rel=&quot;62a96ae7192edb006f9f1bf9&quot; data-account-id=&quot;62a96ae7192edb006f9f1bf9&quot; accountid=&quot;62a96ae7192edb006f9f1bf9&quot; rel=&quot;noreferrer&quot;&gt;Khalilah Gambrell&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=615afd1cd9820f0070a09ef0&quot; class=&quot;user-hover&quot; rel=&quot;615afd1cd9820f0070a09ef0&quot; data-account-id=&quot;615afd1cd9820f0070a09ef0&quot; accountid=&quot;615afd1cd9820f0070a09ef0&quot; rel=&quot;noreferrer&quot;&gt;Zak Burke&lt;/a&gt; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A2f7b6349-450b-419a-ba54-c181f51383ad&quot; class=&quot;user-hover&quot; rel=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; data-account-id=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; accountid=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; rel=&quot;noreferrer&quot;&gt;Dennis Bridges&lt;/a&gt; - I think its the other way around: the consortia development will impact the RTR work in that integrating the changes from the ECS work to the core platform modules that have the RTR changes will take more time because there is likely overlap between the code. The ECS work has not been done based on the RTR branches but rather off of master. That said, I think the current shared understanding is that the design of ECS is not in conflict with the design of RTR. There&apos;s nothing in principle about ECS that makes it incompatible with RTR. I&apos;ll tag &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab069a93f-6f5f-43c0-a76f-f668b7eb6bb0&quot; class=&quot;user-hover&quot; rel=&quot;557058:b069a93f-6f5f-43c0-a76f-f668b7eb6bb0&quot; data-account-id=&quot;557058:b069a93f-6f5f-43c0-a76f-f668b7eb6bb0&quot; accountid=&quot;557058:b069a93f-6f5f-43c0-a76f-f668b7eb6bb0&quot; rel=&quot;noreferrer&quot;&gt;Olamide Kolawole&lt;/a&gt;&#160; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; who I believe share this understanding. Please correct me if needed.&lt;/p&gt;</comment>
                                                            <comment id="190968" author="557058:2f7b6349-450b-419a-ba54-c181f51383ad" created="Fri, 30 Jun 2023 18:44:19 +0000"  >&lt;p&gt;Sounds like we will just need to pay close attention when this code is merged and retest both features.&lt;/p&gt;</comment>
                                                            <comment id="190971" author="5bffed52a1b46046f530c8f7" created="Tue, 25 Jul 2023 10:26:04 +0000"  >&lt;p&gt;Instead of having every application re-implement &lt;tt&gt;getLegacyTokenHeader(okapi)&lt;/tt&gt;, we should have extended stripes-core so every app can call &lt;tt&gt;tstripes.legacyTokenHeader()&lt;/tt&gt;.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10008">
                    <name>Defines</name>
                                            <outwardlinks description="defines">
                                        <issuelink>
            <issuekey id="12727">UXPROD-4397</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="76761">ZF-91</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="76406">STRWEB-99</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79891">FOLIO-3890</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10013" key="com.pyxis.greenhopper.jira:gh-epic-color">
                        <customfieldname>Epic Color</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ghx-label-5</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10011" key="com.pyxis.greenhopper.jira:gh-epic-label">
                        <customfieldname>Epic Name</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Refresh token rotation</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10012" key="com.pyxis.greenhopper.jira:gh-epic-status">
                        <customfieldname>Epic Status</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10016"><![CDATA[To Do]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10017" key="com.pyxis.greenhopper.jira:jsw-issue-color">
                        <customfieldname>Issue color</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>dark_teal</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05pnv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 16 Dec 2022 21:03:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>