Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Linking Google Doc "FOLIO Authentication Token Architecture Improvements"

...

StatusFunctionalityNotesStory
(tick)(tick)Ability to get a valid refreshTokenPOST /refreshtoken - requires "secret" permission not mentioned in the module descriptorAlready done
(tick)(tick)Ability to get a new access token via valid refresh tokenPOST /refreshAlready done
(error)(error)Ability to revoke a refresh tokenSee Ability to Explicitly Revoke a RefreshToken Not needed
(error)(error)Ability to revoke ALL refresh tokensMay not be urgent - if needed restart the auth module(s) with a new signing key.  See Ability to Explicitly Revoke a RefreshTokenNot needed
(error)(error)Configurable access and refresh token expirationBoth are hardcoded - 10min/24hrs

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-65

(warning)(warning)Access token expirationSet in some cases but never checked

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-64

(tick)(tick)Refresh token expirationRefresh tokens that are expired are considered invalidAlready done
(error)(error)Validation that a refresh token was generated by this FOLIO InstanceRight now depends on signing key.  If we go with rotating refresh tokens (and keys) this is no longer an issue.Not needed
(error)(error)mod-login-saml supports refresh tokensCurrently only returns an access token

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODLOGSAML-57

(error)(error)Gracefully handle access token expiration in module-to-module requestsSee Gracefully Handle Access Token Expiration in Module-to-Module Requests

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-66

(error)(error)Ensure we're not caching access tokens in edge-sip2Can probably be wrapped into the existing story for handing token expiration/invalidation

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keySIP2-71

(error)(error)Silent refresh in edge-commonCurrently caches access tokens for a configurable amount of time

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyEDGCOMMON-22

(error)(error)Refresh token rotation upon useSee Refresh Token Rotation and Automatic Revocation Upon Multiple Uses

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-67

(error)(error)Automatic revocation of refresh tokens when used more than onceSee Refresh Token Rotation and Automatic Revocation Upon Multiple Uses

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-67

tinymce.emotions_dlg.error(error)Silent refresh in stripesProbably actually in stripes-connect

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keySTCON-101

(error)(error)Disable use of JWE by default for refresh tokensSigning, but no encryption. See To Encrypt or Not to Encrypt?

Jira Legacy
serverSystem JiraJIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-68

(error)(error)Refactor/Combine access/token endpointsSee Combine /token and /refresh endpoints in mod-authtoken?

Jira Legacy
serverSystem JiraJIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyMODAT-69

...

Spike:

Related:

  • Jira Legacy
    serverSystem JiraJIRA
    serverId01505d01-b853-3c2e-90f1-ee9b165564fc
    keyFOLIO-1233
  • Jira Legacy
    serverSystem JiraJIRA
    serverId01505d01-b853-3c2e-90f1-ee9b165564fc
    keyFOLIO-2524
  • Jira Legacy
    serverSystem JiraJIRA
    serverId01505d01-b853-3c2e-90f1-ee9b165564fc
    keyUIU-1324

...

  • Always check access token expiry during authorization - (question) (question) What about token cache?
  • Access tokens without a valid expiration will be rejected
  • Access tokens generated for module-to-module purposes have a new expiration, i.e. they don't inherit the expiration from the incoming token

...

In order to avoid proliferation of modules dependent upon the authtoken interface, we should create an endpoint in mod-login which clients can use to refresh their access token.  Other options that we considered are documented in the Appendix.

Since stripes/stripes-connect will likely store refresh tokens in a httpOnly cookie, this new refresh endpoint will accommodate two mechanisms for communicating refresh tokens, or "tokenTransport":

...

Decisions

TBD
Page Properties
Status
Status
colourYellow
titlePending
Stakeholders
Outcometest
Due date
Owner
Page Properties
Status
Status
colourYellow
titlePending
Stakeholders
Outcometest2
Due date
Owner
Page Properties
Status
Status
colourYellow
titleIn PRogress
Stakeholders
Outcometest2
Due date
Owner


Appendix

Which APIs should clients use to refresh access tokens?

Several options were weighed:

  • (error) (error) Clients call mod-authtoken's refresh endpoint directly (e.g. POST /refresh)
    • Pros:
      • No changes are needed to mod-login
    • Cons
      • Proliferation of dependencies on mod-authtoken.  Edge APIs, Stripes, etc. will now need to call mod-authtoken directly, something not previously needed.
  • (error) (error) Clients provide a refresh token when calling mod-login's login endpoint (e.g. POST /authn/login)
    • Pros:
      • No new endpoints required
      • Clients always call the login endpoint, either with credentials or a refresh token
    • Cons
      • Overloading the login endpoint is confusing and messy - breaking changes
  • (tick) (tick) Clients provide a refresh token when calling a new refresh endpoint in the login module (e.g. POST /authn/refresh)
    • Pros:
      • Distinct endpoints for login and refresh is cleaner - and makes it clear what the purpose of each is
      • The existing login endpoint doesn't necessarily need to change, though it might be changing anyway for FOLIO-2523
    • Cons:
      • Clients need to know which endpoint to call, depending on whether they're furnishing credentials or a refresh token.

...