Last active
October 31, 2018 07:06
-
-
Save bdpiprava/c069d445c1abc8b984de670efbe6eff2 to your computer and use it in GitHub Desktop.
API token
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is api tokens doc |
Get all tokens
Request
curl -X GET 'http://localhost:8153/go/api/tokens' \
-u 'admin:badger' \
-H 'Accept: application/vnd.go.cd.v1+json'
Response
{
"_links": {
"doc": {
"href": "https://api.gocd.org/current/#api-access-token"
},
"find": {
"href": "http://test.host/go/api/tokens/:token_id"
},
"self": {
"href": "http://test.host/go/api/tokens"
}
},
"_embedded": {
"tokens": [
{
"_links": {
"doc": {
"href": "https://api.gocd.org/current/#api-access-token"
},
"find": {
"href": "http://test.host/go/api/tokens/:token_id"
},
"self": {
"href": "http://test.host/go/api/tokens/PersonToken"
}
},
"description": "Personal Token",
"expires_at": 987654321,
"name": "PersonToken"
},
{
"_links": {
"doc": {
"href": "https://api.gocd.org/current/#api-access-token"
},
"find": {
"href": "http://test.host/go/api/tokens/:token_id"
},
"self": {
"href": "http://test.host/go/api/tokens/WorkToken"
}
},
"description": "Token for work only",
"expires_at": 876543219,
"name": "WorkToken"
}
]
}
}
Create a token
Request
curl -X POST 'http://localhost:8153/go/api/tokens/generate' \
-u 'admin:badger' \
-H 'Accept: application/vnd.go.cd.v1+json' \
-H 'Content-Type: application/json' \
-d '{
"name": "Personal",
"expires_in_hours": "4"
}'
Response
83D1BDC521E44CC9A8905EBF9459A75B
Get a token
Request
curl -X GET 'http://localhost:8153/go/api/tokens/PersonToken' \
-u 'admin:badger' \
-H 'Accept: application/vnd.go.cd.v1+json'
Response
83D1BDC521E44CC9A8905EBF9459A75B
Get a token info
Request
curl -X GET 'http://localhost:8153/go/api/tokens/PersonToken/info' \
-u 'admin:badger' \
-H 'Accept: application/vnd.go.cd.v1+json'
Response
{
"_links": {
"self": {
"href": "http://test.host/go/api/tokens/PersonToken"
},
"doc": {
"href": "https://api.gocd.org/current/#api-access-token"
},
"find": {
"href": "http://test.host/go/api/tokens/:token_id"
}
},
"name": "PersonToken",
"description": "Personal Token",
"expires_at": 987654321
}
Delete a token
curl -X DELETE 'http://localhost:8153/go/api/tokens/PersonToken' \
-u 'admin:badger' \
-H 'Accept: application/vnd.go.cd.v1+json'
Response
{
"message": "Token successfully deleted."
}
-
If they have an existing token, can they use that token, instead of basic auth, to create a token? No, for security reasons? Explicitly allowed/disallowed?
-
You were saying super admins can get token info from all users. So, the token info call's response should include something like
owner
? -
expires_in_hours
seems imprecise.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Access Token for GOCD APIs
Currently, API clients send username and password with every API request for authentication. We want to provide an alternative to this authentication method in the form of the access token.
An access token will be used for both authentication and authorization of the client.
Stateless
This type of token will have all the information self-contained and state of this kind of tokens are not stored on server.
Here is the structure of the stateless token
We looked at stateless tokens for our use cases and found that they are not suitable for various reasons.
Above all points makes it clear that stateless token is not suitable for auditing as well. Once you generate the token it will be valid till it expires.
Stateful tokens
GoCD server will keep track of tokens in db, information like user associated with the token, claims of the token and expiry.
We have two approaches to generate the stateful token -
Simple access token
This is simple to implement as it inherits all the access from the associated user. API call made with this kind of token will resolve the user and sets it as current user in GoCD this way existing authorization works OOTB.
Token with explicit granular authorization
The token self-contains the granular access over resources. A user can give a subset of his access to the generated token.
If we take this road it will be little time consuming since we don't have infrastucture supporting granular access.
It answers following questions -
Ignore following stuff
Token generation through API
Client sends an request to an endpoint to acquire access token, along with the authentication credentials it also sends bunch of authorization that it would like to have for this token, e.g.
Permission to operate on Pipeline1
:Server will authenticate the client using credentials and read authorization claims and if that user is allowed to have requested authorization then a token will be generated and returned to the client.
In subsequent API requests, client now can send acquired token instead of user credentials
Advantages of token over tradiotional authentication:
Disadvantages:
Json Web Token
Json web token has following form:
Header
{
“alg” : “HS256",
“typ” : “JWT”
}
.
{
“loggedInAs” : “admin”,
“iat” : 1422779638
}
.
HMAC-SHA256(
encodeBase64Url(header) + ‘.’ +
encodeBase64Url(payload),
secret
)'
asdasdasd.sdasdasdasd.asdasdasd
Types of token to consider
All token can have authorization on it:
Basic authorization
Advanced authorization
User scenarios:
A token generated here will have authorization included in token itself and that makes it stateless. As long as token is with user and is not expired user can use it to make subsequent api calls
Here, token is generated by the user, for auditing purpose it should log all actions against username of authenticated user.
Client authenticates using following request
Client receives token on successful authentication:
Client then will make use of acquired token with every subsequent request
We are considering following alternatives for generating token:
Questions:
Get token using API with
username:password
UI generated token
userA => asdiajdisjdijasd => all:PipelineB
1 Jan
Api(token) -> Authentication(token) -> check for validity ->
controller(is adming, isgroupadmin) -> services -> return
1
-> ajdasdiajsd
-> {
access: [“pipeline:operate”, “pipeline:view”]
access:
/go/api/pipelines/pipelin1/schedule
{
claims:
}