Copyright (C) 2016-2019 The Open Library Foundation
This software is distributed under the terms of the Apache License, Version 2.0. See the file "LICENSE" for more information.
This module is responsible for filtering all proxy traffic and checking for a valid token. In addition, it is responsible for retrieving the permissions for a given user and making decisions regarding access based on user permissions and defined requirements for a given path. It provides a token creation endpoint that privileged modules (such as Authentication) may make use of.
This module requires that the Java Cryptography Extension files be installed, in order to run successfully. OpenJDK ships with them since 8u161, for Oracle JDK, they can be located at https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
In addition to acting as a filter, the module exposes a few endpoints that are accessible as part as the regular Okapi ecosystem. These endpoints are as follows:
/token - This endpoint signs and returns an access token (JWT). It requires the permission auth.signtoken, which must be defined as a module permission to be used. It accepts a POST of a JSON object, with a field called payload that contains the claims of the token. The token is returned inside of a JSON object (response code 201), containing a field called token that has the token as a value.
/refreshtoken - This endpoint signs and returns a refresh token (JWE). It requires the permission auth.signrefreshtoken, which must be defined as a module permission. It accepts a POST of a JSON object, with required fields of userId and sub. The token is returned inside of a JSON object (response code 201), contained in a field called refreshToken.
/refresh - This endpoint takes a valid refresh token and returns a new access token. It accepts a POST of a JSON object, with required field refreshToken that contains the refresh token. It returns a new access token inside of a JSON object (response code 201), contained in a field called token.
Command Line Options
mod-authtoken employs a caching mechanism to avoid repeated lookups to the permissions module for rapid incoming requests. This is enabled by default, though it may be disabled by passing -Dcache.permissions=false to the jar when loading.
Passing a value of "true" to the Authtoken-Refresh-Cache header for any request will inform mod-authtoken to delete the permissions cache for that userid and to request fresh permissions, regardless of cache age.
Other FOLIO Developer documentation is at dev.folio.org
See the built
target/ModuleDescriptor.json for the interfaces that this module
requires and provides, the permissions, and the additional module metadata.