Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Linking Google Doc "FOLIO Authentication Token Architecture Improvements"

...

StatusFunctionalityNotesStory
(tick)(tick)Ability to get a valid refreshTokenPOST /refreshtoken - requires "secret" permission not mentioned in the module descriptorAlready done
(tick)(tick)Ability to get a new access token via valid refresh tokenPOST /refreshAlready done
(error)(error)Ability to revoke a refresh tokenSee Ability to Explicitly Revoke a RefreshToken Not needed
(error)(error)Ability to revoke ALL refresh tokensMay not be urgent - if needed restart the auth module(s) with a new signing key.  See Ability to Explicitly Revoke a RefreshTokenNot needed
(error)(error)Configurable access and refresh token expirationBoth are hardcoded - 10min/24hrs

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-65

(warning)(warning)Access token expirationSet in some cases but never checked

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-64

(tick)(tick)Refresh token expirationRefresh tokens that are expired are considered invalidAlready done
(error)(error)Validation that a refresh token was generated by this FOLIO InstanceRight now depends on signing key.  If we go with rotating refresh tokens (and keys) this is no longer an issue.Not needed
(error)(error)mod-login-saml supports refresh tokensCurrently only returns an access token

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODLOGSAML-57

(error)(error)Gracefully handle access token expiration in module-to-module requestsSee Gracefully Handle Access Token Expiration in Module-to-Module Requests

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-66

(error)(error)Ensure we're not caching access tokens in edge-sip2Can probably be wrapped into the existing story for handing token expiration/invalidation

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keySIP2-71

(error)(error)Silent refresh in edge-commonCurrently caches access tokens for a configurable amount of time

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyEDGCOMMON-22

(error)(error)Refresh token rotation upon useSee Refresh Token Rotation and Automatic Revocation Upon Multiple Uses

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-67

(error)(error)Automatic revocation of refresh tokens when used more than onceSee Refresh Token Rotation and Automatic Revocation Upon Multiple Uses

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-67

(error)
(error)Silent refresh in stripesProbably actually in stripes-connect

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keySTCON-101

(error)
(error)Disable use of JWE by default for refresh tokensSigning, but no encryption. See To Encrypt or Not to Encrypt?

Jira Legacy
serverSystem JiraJIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-68

(error)
(error)Refactor/Combine access/token endpointsSee Combine /token and /refresh endpoints in mod-authtoken?

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-69

...

Spike:

Related:

  • Jira Legacy
    serverSystem JiraJIRA
    serverId01505d01-b853-3c2e-90f1-ee9b165564fc
    keyFOLIO-1233
  • Jira Legacy
    serverSystem JiraJIRA
    serverId01505d01-b853-3c2e-90f1-ee9b165564fc
    keyFOLIO-2524
  • Jira Legacy
    serverSystem JiraJIRA
    serverId01505d01-b853-3c2e-90f1-ee9b165564fc
    keyUIU-1324

...

  • Always check access token expiry during authorization - (question) (question) What about token cache?
  • Access tokens without a valid expiration will be rejected
  • Access tokens generated for module-to-module purposes have a new expiration, i.e. they don't inherit the expiration from the incoming token

...

Currently the refresh tokens issued from mod-authtoken are encrypted (JWE).  I'm not sure that's necessary as there doesn't appear to be anything sensitive/secret in the token itself.  Unless there's a compelling reason to encrypt these, I suggest we save the time/resources on the extra crypto and forego the use of JWE.

They still need to be signed.

Combine /token and /refresh endpoints in mod-authtoken?

...

Interface

Method

Path

Request

Response

Permissions Required

Description

Notes

authtokenPOST/tokensclaimstokens

auth.signtoken

auth.signrefreshtoken

Generate and return access and refresh tokens 

Proxy to storage module.  


claims

Property

Type

Default

Required

Notes

user_idstringNANo

UUID of the user these tokens are associated with

tenantstringNAYesThe tenant these tokens are associated with
substringNANoaccess token subject (username? module name?)
TBD



refreshTokenstringNANoOptional refresh token - if present, use this to 

...

In order to avoid proliferation of modules dependent upon the authtoken interface, we should create an endpoint in mod-login which clients can use to refresh their access token.  Other options that we considered are documented in the Appendix.

Since stripes/stripes-connect will likely store refresh tokens in a httpOnly cookie, this new refresh endpoint will accommodate two mechanisms for communicating refresh tokens, or "tokenTransport":

...

Decisions

TBD


Appendix

Which APIs should clients use to refresh access tokens?

Several options were weighed:

  • (error) Clients (error) Clients call mod-authtoken's refresh endpoint directly (e.g. POST /refresh)
    • Pros:
      • No changes are needed to mod-login
    • Cons
      • Proliferation of dependencies on mod-authtoken.  Edge APIs, Stripes, etc. will now need to call mod-authtoken directly, something not previously needed.
  • (error) Clients (error) Clients provide a refresh token when calling mod-login's login endpoint (e.g. POST /authn/login)
    • Pros:
      • No new endpoints required
      • Clients always call the login endpoint, either with credentials or a refresh token
    • Cons
      • Overloading the login endpoint is confusing and messy - breaking changes
  • (tick) Clients (tick) Clients provide a refresh token when calling a new refresh endpoint in the login module (e.g. POST /authn/refresh)
    • Pros:
      • Distinct endpoints for login and refresh is cleaner - and makes it clear what the purpose of each is
      • The existing login endpoint doesn't necessarily need to change, though it might be changing anyway for FOLIO-2523
    • Cons:
      • Clients need to know which endpoint to call, depending on whether they're furnishing credentials or a refresh token.

...