Enable APIML token renewal before expiration

[gejohnston]

Is your feature or enhancement request related to a problem or limitation? Please describe

When an APIML token expires, a REST request fails and the user is directed to login again.

Describe your enhancement idea

Detect that the token is due to (or has already) expired, and automatically perform an APIML login request. Then continue the user's original request.

Describe alternatives you've considered

• Create APIs to detect token expiration and perform re-authentication.
  • The same (or similar) APIs should be made available to both the CLI and to ZE extenders.

Provide any additional context

[github-actions]

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 5 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.

[balhar-jakub]

Just a note there is API available via API ML for this type of exchange - https://docs.zowe.org/stable/user-guide/api-mediation/api-mediation-jwt-token-refresh/

It's not enabled by default, but I wanted to let you know, in case this is something you want to use, but it may be better to use the Personal Access Tokens for the authentication against the API Mediation Layer.

[zFernand0]

Here is a bit more information about the APIs we could write in a non-breaking enhancement to the Imperative framework.

Thanks to the APIML Token structure, we could split it into 3 portions.

1. Token identification information: type (JWT), algorithm (RS256), and kID (???)

   {
     "kid": "some_generated_token_id",
     "typ": "JWT",
     "alg": "RS256"
   }

2. Personal identification information: type, user, SAF Groups, issuer, expiration, iat (issued at time?), and more...

   {
     "token_type": "Bearer",
     "sub": "USERNAME",
     "upn": "USERNAME",
     "groups": ["IZUUSER","ZWEADMIN", "MORE_GROUPS"],
     "realm": "SAFRealm",
     "iss": "zOSMF",
     "exp": 1700278625,
     "iat": 1700248625
   }

3. Some very long generated hash/string/token (no point in base64 decoding it 😋 )

---

The API may look something like this.

export class CliUtils {
  // ...
  public static getTokenExpirationTime(apimlToken: string): string {
    // This is just pseudo-code : )
    const tokenDetails = JSON.parse(base64Decode(apimlToken.split(".")[1]));
    return tokenDetails.exp;
  }

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[github-actions]

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further.

[adam-wolfe]

I think this is still something we should consider, even if only to avoid passing an expired token to the API ML.