Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Replacing all http icons by https icons

...

StatusFunctionalityNotesStory
(tick)Ability to get a valid refreshTokenPOST /refreshtoken - requires "secret" permission not mentioned in the module descriptorAlready done
(tick)(tick)Ability to get a new access token via valid refresh tokenPOST /refreshAlready done
(error)(error)Ability to revoke a refresh tokenSee Ability to Explicitly Revoke a RefreshToken Not needed
(error)(error)Ability to revoke ALL refresh tokensMay not be urgent - if needed restart the auth module(s) with a new signing key.  See Ability to Explicitly Revoke a RefreshTokenNot needed
(error)(error)Configurable access and refresh token expirationBoth are hardcoded - 10min/24hrs

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-65

(warning)(warning)Access token expirationSet in some cases but never checked

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-64

(tick)(tick)Refresh token expirationRefresh tokens that are expired are considered invalidAlready done
(error)(error)Validation that a refresh token was generated by this FOLIO InstanceRight now depends on signing key.  If we go with rotating refresh tokens (and keys) this is no longer an issue.Not needed
(error)(error)mod-login-saml supports refresh tokensCurrently only returns an access token

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODLOGSAML-57

(error)(error)Gracefully handle access token expiration in module-to-module requestsSee Gracefully Handle Access Token Expiration in Module-to-Module Requests

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-66

(error)(error)Ensure we're not caching access tokens in edge-sip2Can probably be wrapped into the existing story for handing token expiration/invalidation

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keySIP2-71

(error)(error)Silent refresh in edge-commonCurrently caches access tokens for a configurable amount of time

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyEDGCOMMON-22

(error)(error)Refresh token rotation upon useSee Refresh Token Rotation and Automatic Revocation Upon Multiple Uses

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-67

(error)(error)Automatic revocation of refresh tokens when used more than onceSee Refresh Token Rotation and Automatic Revocation Upon Multiple Uses

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-67

(error)
tinymce.emotions_dlg.errorSilent refresh in stripesProbably actually in stripes-connect

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keySTCON-101

(error)
(error)Disable use of JWE by default for refresh tokensSee To Encrypt or Not to Encrypt?

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-68

(error)
(error)Refactor/Combine access/token endpointsSee Combine /token and /refresh endpoints in mod-authtoken?

Jira Legacy
serverSystem Jira
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-69

...

  • Always check access token expiry during authorization - (question) (question) What about token cache?
  • Access tokens without a valid expiration will be rejected
  • Access tokens generated for module-to-module purposes have a new expiration, i.e. they don't inherit the expiration from the incoming token

...

Several options were weighed:

  • (error) Clients (error) Clients call mod-authtoken's refresh endpoint directly (e.g. POST /refresh)
    • Pros:
      • No changes are needed to mod-login
    • Cons
      • Proliferation of dependencies on mod-authtoken.  Edge APIs, Stripes, etc. will now need to call mod-authtoken directly, something not previously needed.
  • (error) Clients (error) Clients provide a refresh token when calling mod-login's login endpoint (e.g. POST /authn/login)
    • Pros:
      • No new endpoints required
      • Clients always call the login endpoint, either with credentials or a refresh token
    • Cons
      • Overloading the login endpoint is confusing and messy - breaking changes
  • (tick) Clients (tick) Clients provide a refresh token when calling a new refresh endpoint in the login module (e.g. POST /authn/refresh)
    • Pros:
      • Distinct endpoints for login and refresh is cleaner - and makes it clear what the purpose of each is
      • The existing login endpoint doesn't necessarily need to change, though it might be changing anyway for FOLIO-2523
    • Cons:
      • Clients need to know which endpoint to call, depending on whether they're furnishing credentials or a refresh token.