zowe-cli icon indicating copy to clipboard operation
zowe-cli copied to clipboard

Published 20 hours ago verified publisher icon zowe

Enable APIML token renewal before expiration

Open gejohnston opened this issue 1 year ago • 6 comments

Is your feature or enhancement request related to a problem or limitation? Please describe

When an APIML token expires, a REST request fails and the user is directed to login again.

Describe your enhancement idea

Detect that the token is due to (or has already) expired, and automatically perform an APIML login request. Then continue the user's original request.

Describe alternatives you've considered

  • Create APIs to detect token expiration and perform re-authentication.
    • The same (or similar) APIs should be made available to both the CLI and to ZE extenders.

Provide any additional context

gejohnston avatar Nov 15 '23 17:11 gejohnston

Thank you for raising this enhancement request. The community has 90 days to vote on it. If the enhancement receives at least 5 upvotes, it is added to our development backlog. If it receives fewer votes, the issue is closed.

github-actions[bot] avatar Nov 15 '23 17:11 github-actions[bot]

Just a note there is API available via API ML for this type of exchange - https://docs.zowe.org/stable/user-guide/api-mediation/api-mediation-jwt-token-refresh/

It's not enabled by default, but I wanted to let you know, in case this is something you want to use, but it may be better to use the Personal Access Tokens for the authentication against the API Mediation Layer.

balhar-jakub avatar Nov 16 '23 09:11 balhar-jakub

Here is a bit more information about the APIs we could write in a non-breaking enhancement to the Imperative framework.

Thanks to the APIML Token structure, we could split it into 3 portions.

  1. Token identification information: type (JWT), algorithm (RS256), and kID (???) 
    {
  "kid": "some_generated_token_id",
  "typ": "JWT",
  "alg": "RS256"
}
  2. Personal identification information: type, user, SAF Groups, issuer, expiration, iat (issued at time?), and more... 
    {
  "token_type": "Bearer",
  "sub": "USERNAME",
  "upn": "USERNAME",
  "groups": ["IZUUSER","ZWEADMIN", "MORE_GROUPS"],
  "realm": "SAFRealm",
  "iss": "zOSMF",
  "exp": 1700278625,
  "iat": 1700248625
}
  3. Some very long generated hash/string/token (no point in base64 decoding it 😋 )

The API may look something like this.

export class CliUtils {
  // ...
  public static getTokenExpirationTime(apimlToken: string): string {
    // This is just pseudo-code : )
    const tokenDetails = JSON.parse(base64Decode(apimlToken.split(".")[1]));
    return tokenDetails.exp;
  }

zFernand0 avatar Nov 22 '23 13:11 zFernand0

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar Feb 20 '24 18:02 github-actions[bot]

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further.

github-actions[bot] avatar Mar 05 '24 18:03 github-actions[bot]

I think this is still something we should consider, even if only to avoid passing an expired token to the API ML.

adam-wolfe avatar Mar 05 '24 18:03 adam-wolfe