Application Token
To enable easier API access for external applications we should add another authentication method using application tokens (app token). A user can request a new app token via API/GUI including an expiration duration, authenticating initially through another method. The returned token can then be used to perform actions with the API.
- Use case
- Long-living token to access NOMAD API
- Presented to the user only once at creation (GUI/API)
- Enforcing expiration, user-defined but admin-limited
- Endpoint
auth/app_token?expires_in=3600
- New auth method (others reuse
Authorization: Bearer <token>
)-
QueryRather not for long-living tokens.?app_token=<token>
- Header
Authorization: Application <token>
?- Usage equal to authentication scheme
Bearer
, should use that instead. - May distinguish via prefix, e.g.
app_<token>
.
- Usage equal to authentication scheme
-
- JWT token, cf. with signature token
- Less verbose than keycloak's combined id/access token
- Alternative: Opaque string
- Configuration
-
APP_TOKEN_MAX_EXPIRE_IN
, default400 d
10d
? - (
APP_TOKEN_MAX_ENTRIES
?, default10
?)
-
- Extensions
- More granularity (fine-grained rights, or scope)
- Revocable token storage
Thoughts
Currently, we appear to be looking rather for a Personal Access Token to impersonate a user than a dedicated App Token.
There are already several auth dependencies:
-
basic_auth
: username and password -
bearer_token
: more precisely Keycloak's OAuth JWT -
upload_token
: persistent via user id -
signature_token
: simple, self-made JWT; only contains user id and expiration time
So we already use three different auth sources, keycloak and two self-made solutions.
Links
- Auth Tokens at GitHub
- Token overview at GitLab
- Best practices for API access
- MDN Web Docs: HTTP Authentication
-
Opinion: Short-lived JWT, long-lived opaque refresh token
- The refresh token is allowed to be long-lived since you have to get the new short-lived access token from the server, where access rights and revocations can be checked.
Edited by Sascha Klawohn