Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add minimal apptokens feature #767

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

add minimal apptokens feature #767

wants to merge 1 commit into from

Conversation

butonic
Copy link
Member

@butonic butonic commented Oct 11, 2024
edited by wkloucek
Loading

Fixes #707

This PR adds a minimal app tokens feature:

  • External services can use the bearer tokens to make requests on external endpoints, eg. to create storage spaces and manage space membership.

  • For security reasons, bearer tokens can only be generated by the admin on the CLI, token generation via the web api is not enabled.

  • Use this only for services under your control. The generated tokens are not scoped and can execute any actions permitted by the associated user.

  • Allow users to generate app tokens for other clients is tracked in Personal token for API access in third-party tools ocis#7711

@butonic butonic self-assigned this Oct 11, 2024
@butonic butonic force-pushed the apptokens branch 3 times, most recently from b42d79d to ec4452d Compare October 11, 2024 14:29
@butonic butonic marked this pull request as ready for review October 11, 2024 14:49
wkloucek
wkloucek requested changes Oct 14, 2024
View reviewed changes
Copy link
Contributor

@wkloucek wkloucek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are app tokens a production ready product feature nowadays?

And if so, what's the reasoning behind this:

For security reasons, bearer tokens can only be generated by the admin on the CLI, token generation via the web api is not enabled.

Why would we do a hardcoded change of the oCIS product default in AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN ?

Why does this service need another PVC? Even if it was to store data, shouldn't it use either the micro store interface or the storage-system storage!?

@butonic
Copy link
Member Author

butonic commented Oct 14, 2024
edited
Loading

Are app tokens a production ready product feature nowadays?

Partly. Enabling external services to use the graph api requires a token that does not need human interaction. @tbsbdr @dragotin how do we continue with this? @wkloucek is there a way to mark a feature as experimental?

And if so, what's the reasoning behind this:

For security reasons, bearer tokens can only be generated by the admin on the CLI, token generation via the web api is not enabled.

Why would we do a hardcoded change of the oCIS product default in AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN ?

I'll revert that

Why does this service need another PVC? Even if it was to store data, shouldn't it use either the micro store interface or the storage-system storage!?

🤔 hm, good point. The only implementation currently writes to disk. I'll look into a store backed implementation.

@wkloucek
Copy link
Contributor

wkloucek commented Oct 14, 2024
edited
Loading

@wkloucek is there a way to mark a feature as experimental?

No, the oCIS chart is intended for production installations only. (with a few exceptions like IDP, IDM, NATS service. Therefore we issue scary warnings in https://github.com/owncloud/ocis-charts/blob/main/charts/ocis/templates/NOTES.txt if you use the builtin ones.)

But in general I'd like to keep out experimental stuff, since the main branch goes straight to production because of the lack of releases of the oCIS chart...

NOTE: we recently even removed the basic auth service because it is obviously not production ready.

@butonic butonic mentioned this pull request Oct 14, 2024
Closed
@wkloucek
Copy link
Contributor

From owncloud/ocis#10292 I understood that it's not yet production ready!?

Therefore setting to draft state.

@wkloucek wkloucek marked this pull request as draft October 16, 2024 05:21
@butonic
add minimal apptokens feature
18e4d78 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@micbar
Copy link
Contributor

micbar commented Nov 18, 2024

@wkloucek The productisation has happened, Ticket owncloud/ocis#10292

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wkloucek wkloucek wkloucek requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@butonic butonic

Labels
None yet
Projects
Infinite Scale Team Board
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

add service auth-app
3 participants
@butonic @wkloucek @micbar