View Issue Details

IDProjectCategoryView StatusLast Update
0017766mantisbtapi soappublic2016-05-24 06:49
Reportervboctor Assigned Tovboctor  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.18 
Fixed in Version1.3.0-rc.1 
Summary0017766: Access Tokens instead of Passwords
Description

It is pretty common for services to provide a way for users to issue and revoke tokens that can be used to access all data in the service or even a subset of it. Examples include:

  • gmail.com - I use it with two factor auth, may be also available otherwise
  • outlook.com - same.
  • github.com - personal access tokens

If we support generating, storing and revoking such tokens, then we can use such tokens for login via the SOAP API rather than using the user password.

Ideally OAuth would be used, but even though some of the above services support OAuth, they still support access token for integrations with protocols and apps that don't support it.

OAuth and such tokens provide the ability to allow access yet limit what the user can do. For example, a read-only access token vs. read-write. Or "report issue" vs. "read issues" and so on. We don't have to start there, but it is possible to have N kinds of tokens or N token capabilities. See attached example screentshot from GitHub.

TagsNo tags attached.
Attached Files

Relationships

related to 0020443 closeddregad New 'api_token' table does not have standard options 
related to 0020472 closeddregad New 'api_token' table columns are not defined in standard way 
related to 0020943 closedcproensa Account menu missing from API tokens manage page 

Activities

dregad

dregad

2014-10-15 03:57

developer   ~0041586

Sounds like a potentially useful feature - I never liked the approach of having to send user+pw for each SOAP request - it's cumbersome, and not secure if the backend is not using SSL

vboctor

vboctor

2015-11-14 11:57

manager   ~0051842

I'm considering to implement this. Here is the approach I'm going to use:

  • Create a new field in the users table that contains the token.
  • Token is show in the user's account_page.php page.
  • Token can be revoked and a new one is generated via the user's account page.
  • Token is not affected by users' change of password or any other user information.
  • SOAP API enables login with username + token where token is supplied in the password field.
  • SOAP API enables login with username + empty password where token is supplied in authentication header.
  • Any preferences for generating the token? e.g. SHA256 based on salt + some user fields + random -- or something else? @dregad, you usually have preferences here.
  • If token is empty, then it is disabled.

What happens to existing users?

  • First time they go to the my account page, a token is generated and saved.

What won't be included:

  • OAuth
  • Multiple tokens and what each token is used for.
  • Restricted access per token
  • Passing the username in the header as well.

Note that the API will continue to be compatible with old / new authentication models.

vboctor

vboctor

2015-11-14 11:57

manager   ~0051843

Reminder sent to: atrol, dregad, rombert

What are your thoughts on this SOAP API authentication change?

rombert

rombert

2015-11-20 08:40

reporter   ~0051908

Overall looks good to me. I wonder why you don't plan to include 'Passing the username in the header as well.' ? Using HTTP basic auth including username+password or username+token would be a nice addition.

vboctor

vboctor

2015-11-21 00:34

manager   ~0051910

Sounds good @rombert. I was thinking about using headers for username + token. But even supporting the username + password case is a good idea too.

dregad

dregad

2015-11-23 06:24

developer   ~0051916

PR https://github.com/mantisbt/mantisbt/pull/681

dregad

dregad

2016-05-18 07:08

developer   ~0053180

This was actually implemented in PR https://github.com/mantisbt/mantisbt/pull/685

Related Changesets

MantisBT: master d0b11412

2015-12-05 20:48

vboctoradmin


Details Diff
Merge pull request 0000685 from vboctor/Issue17766_access_tokens_2

Use API tokens instead of user passwords for API auth
Affected Issues
0017766
mod - account_page.php Diff File
mod - admin/schema.php Diff File
mod - api/soap/mc_api.php Diff File
add - api_token_create.php Diff File
add - api_token_revoke.php Diff File
add - api_tokens_page.php Diff File
add - core/api_token_api.php Diff File
mod - core/authentication_api.php Diff File
mod - core/constant_inc.php Diff File
mod - core/html_api.php Diff File
mod - css/default.css Diff File
mod - docbook/Admin_Guide/en-US/Page_Descriptions.xml Diff File
mod - lang/strings_english.txt Diff File

MantisBT: master 73f2cf8c

2016-05-16 09:29

cproensa

Committer: dregad


Details Diff
Add account menu in api tokens page

Add the account menu to the API tokens manage page (this page is one
of the items in that menu). Now the layout is consistent with the
other account manage pages.

API tokens page was originally implemented in issue 0017766

Fixes 0020943
Affected Issues
0017766, 0020943
mod - api_tokens_page.php Diff File