View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017766 | mantisbt | api soap | public | 2014-10-15 03:50 | 2016-05-24 06:49 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | normal | Severity | feature | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.18 | ||||
Fixed in Version | 1.3.0-rc.1 | ||||
Summary | 0017766: Access Tokens instead of Passwords | ||||
Description | It is pretty common for services to provide a way for users to issue and revoke tokens that can be used to access all data in the service or even a subset of it. Examples include:
If we support generating, storing and revoking such tokens, then we can use such tokens for login via the SOAP API rather than using the user password. Ideally OAuth would be used, but even though some of the above services support OAuth, they still support access token for integrations with protocols and apps that don't support it. OAuth and such tokens provide the ability to allow access yet limit what the user can do. For example, a read-only access token vs. read-write. Or "report issue" vs. "read issues" and so on. We don't have to start there, but it is possible to have N kinds of tokens or N token capabilities. See attached example screentshot from GitHub. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Sounds like a potentially useful feature - I never liked the approach of having to send user+pw for each SOAP request - it's cumbersome, and not secure if the backend is not using SSL |
|
I'm considering to implement this. Here is the approach I'm going to use:
What happens to existing users?
What won't be included:
Note that the API will continue to be compatible with old / new authentication models. |
|
Reminder sent to: atrol, dregad, rombert What are your thoughts on this SOAP API authentication change? |
|
Overall looks good to me. I wonder why you don't plan to include 'Passing the username in the header as well.' ? Using HTTP basic auth including username+password or username+token would be a nice addition. |
|
Sounds good @rombert. I was thinking about using headers for username + token. But even supporting the username + password case is a good idea too. |
|
This was actually implemented in PR https://github.com/mantisbt/mantisbt/pull/685 |
|
MantisBT: master d0b11412 2015-12-05 20:48 Details Diff |
Merge pull request 0000685 from vboctor/Issue17766_access_tokens_2 Use API tokens instead of user passwords for API auth |
Affected Issues 0017766 |
|
mod - account_page.php | Diff File | ||
mod - admin/schema.php | Diff File | ||
mod - api/soap/mc_api.php | Diff File | ||
add - api_token_create.php | Diff File | ||
add - api_token_revoke.php | Diff File | ||
add - api_tokens_page.php | Diff File | ||
add - core/api_token_api.php | Diff File | ||
mod - core/authentication_api.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - css/default.css | Diff File | ||
mod - docbook/Admin_Guide/en-US/Page_Descriptions.xml | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
MantisBT: master 73f2cf8c 2016-05-16 09:29 Committer: dregad Details Diff |
Add account menu in api tokens page Add the account menu to the API tokens manage page (this page is one of the items in that menu). Now the layout is consistent with the other account manage pages. API tokens page was originally implemented in issue 0017766 Fixes 0020943 |
Affected Issues 0017766, 0020943 |
|
mod - api_tokens_page.php | Diff File |