Move access token out of URL

Description

Currently, the access_token (bearer token) is passed to the server as a URL query parameter. This isn't quite best practice as access/bearer tokens end up in the URL which intermediaries can grab.

These tokens instead should be placed in the HTTP header of each call:

Acceptance criteria:

  • Bearer tokens (access tokens) are no longer in the URL as a query parameter, instead they are passed in the HTTP header.

Check that:

  • Headers are usable through Swagger in each service

  • UI does not send access token through URLs (except download in new windoew - pdfs)

  • inter service communication still working

Environment

None

Activity

Show:
Paweł Gesek
July 21, 2017, 3:39 PM

do we want to retain support for using the token in the url? If not, should we consider this a major version change for every service?

Paweł Gesek
July 26, 2017, 4:37 PM

OAuth supports both by default - so for now I am just leaving the two options on the table, while making OLMIS itself always use headers instead of a request param.

Brandon Bowersox-Johnson
July 26, 2017, 11:40 PM

that sounds to me like a reasonable choice where each implementor can make their own decision.

Josh Zamor
July 27, 2017, 12:12 AM

+1

Joanna Bebak
August 1, 2017, 11:52 AM

I checked, and everything works correctly.

Done

Assignee

Paweł Gesek

Reporter

Josh Zamor

Labels

None

Story Points

5

Time tracking

0m

Time remaining

0m

Components

Sprint

None

Fix versions

Priority

Critical