Self Validating Tokens

Description

Support client auth token validation without requiring an admin token
Two parts:
1. If an admin account is not set up, then it should be possible to use the actual token to validate in the validation call to Identity.
2. In this case only, if Identity rate limits then the rate limit error code should be returned to the client (i.e. 503 should not be substituted).

This will require a change in Identity to support validation of a token with the same token.

Do not implement this Epic until Identity has the change in progress, since it needs to be approved by Product Security first.

Acceptance Criteria:

  • Existing functionality should not break

  • This should be an optional feature (customers can turn it on or off)

  • Validation should be rejected if the token is invalid/expired

  • The rate limit response code should be configurable (413 or 429 are the only codes allowed)

  • When self token validation is turned off we should continue to return a 503)

Information Needed for REP-2185:

What is the behavior of Identity if the customer token being self-validated is expired. Is it the same response as an admin token? Our assumption is an admin token will return a 404 from Identity and Repose response will respond 403.

For a self validating token expired, what's the behavior? Kari emailed Identity 5/5.

Environment

None

Assignee

Unassigned

Reporter

Peter Kazmir

Labels

None

External issue ID

None

CoAssignee

None

Capitalizable

None

Priority

High

Epic Name

Self Validating Tokens
Configure