View Issue Details

IDProjectCategoryView StatusLast Update
0033489mantisbtapi restpublic2024-06-28 06:08
Reporterkeessonnema Assigned To 
PrioritynormalSeveritytrivialReproducibilityN/A
Status newResolutionopen 
Product Version2.26.0 
Summary0033489: User authentication using REST API in different web applications (For example a Symfony web-app)
Description

I have asked this question a few years ago, but it wasn't as thought through back then.

We are working on a tool to improve the quality of bug reports we get from clients. We created a report-page with a 5W1H-like form in a Symfony application.

My question is if MantisBT supports (or will in future support) an authentication method to login in another web application using MantisBT user credentials (from the MantisBT database). The REST API would in my opinion be a good starting point to add authentication (using the generated token to handle issues).

At the moment I don't know how to get the username or token from a user that is logged in in MantisBT, but needs to fill in the 5WH1 report form.

Our application consists of 500 active users and a way to implement our own report-page using the REST API would be ideal.

I'm open to suggestions and/or discussion about this topic, as I don't know if something like this is possible. I'm not super familiar with (o)auth or LDAP auth to understand how this could work. I am however a PHP developer, so technical discussions aren't a problem.

Additional Information

Using MantisBT 2.26.0

TagsNo tags attached.

Relationships

related to 0032245 closedvboctor REST API for creating API tokens for users 
related to 0011219 acknowledged Provide OAuth inter-application authentication "tokens" mechanism 

Activities

dregad

dregad

2024-01-10 04:01

developer   ~0068441

The REST API only supports Tokens authentication.

In 2.26.0, we introduced new endpoints to manage user tokens (see 0032245 and the documentation but the /users/me/token endpoint actually requires a Token so the snake is biting its own tail.

Consuming /users/:user_id/token with a privileged service account may be an alternative to create a user-specific token, but that does not let you authenticate and validate the user's password for a SSO scenario (assuming you need them to login into your bug report app with their MantisBT credentials).

The legacy SOAP API works with User/Password auth, so you may be able to leverage that somehow.

For a different, more hackish way of doing things, you could also try to use the MantisBT session cookie via the core API functions, which is how the DokuWiki integration was implemented for this tracker (see https://github.com/mantisbt/dokuwiki-plugin-authmantis).

There is also a long-standing request 0011219 to introduce OAuth authentication but that is not going anywhere soon.

Hope this helps.

keessonnema

keessonnema

2024-06-28 06:08

reporter   ~0069014

I ended up creating a MantisBT plugin that extends the REST API and adds a "validate user" endpoint.
My web app has a login form where users fill in their MantisBT credentials. After form-submit the validate user endpoint is called to verify the user using what's already available in MantisBT.
After success the user is authenticated and a token is automatically generated if there's none yet.

This works for us, but I'd like to improve on it.

As a hackish SSO method I use the validate endpoint again to verify the cookie hash (of the logged in user), if this returns true the user is logged in automatically in my web app when coming from MantisBT (I added a link from Mantis to my web app).