Documentation: Lacking description of token auth flow

[betterthanever2]

Describe the bug

Documentation on Univeral Auth (https://infisical.com/docs/documentation/platform/identities/universal-auth) ends with Accessing the Infisical API with the identity section, where one can see an example of a request.

Documentation on Token Auth (https://infisical.com/docs/documentation/platform/identities/token-auth) also ends with Accessing the Infisical API with the identity, but this one contains no useful information.

I'm trying to set up an app via machine identity and token auth, and I'm about to start pulling my hairs out, as I keep getting It looks you have not yet connected this project to Infisical no matter what.

I have set INFISICAL_MACHINE_IDENTITY_CLIENT_ID and INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET because nothing else is mentioned in any other guides. I tried renaming client_secret into access_token (i.e. INFISICAL_MACHINE_IDENTITY_ACCESS_TOKEN), but this didn't work either.

Maybe I missed something in the docs? I looked all over, but it's possible. Please, tell me how this secret should be called, I'm getting desperate!

Platform you are having the issue on:

Ubuntu 24, self-hosted via Docker

[akhilmhdh]

I think token auth is not yet supported in CLI.

CC: @dangtony98

[betterthanever2]

@akhilmhdh

Since this functionality is not yet available, I'm trying to set up universal auth, and to my dismay, I'm getting the same old It looks you have not yet connected ... even though I followed the Docker compose tutorial (https://infisical.com/docs/integrations/platforms/docker-compose) to the letter, meaning:

• I created a machine identity
• I set up universal auth, including client secret
• I added the identity to the project (as a member)
• On the deployment server side, I have compose.yml file, where I have INFISICAL_MACHINE_IDENTITY_CLIENT_ID and INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET referenced (as well as INFISICAL_API_URL because I'm self-hosting). Creds themselves are in a .env file.

Here's my compose file:

services:
  ave-media:
    image: registry.domain/project-repo:ave-media
    container_name: ave-media
    command: infisical run --projectId <project_id_set_explicitly> -- python ave_media/core.py
    env_file: .env
    environment:
      INFISICAL_MACHINE_IDENTITY_CLIENT_ID: ${CLIENT_ID}
      INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET: ${CLIENT_SECRET}
      INFISICAL_API_URL: ${API_URL}
    ports:
      - 50811:8800
    pull_policy: always
    restart: on-failure

It is a little confusing that in the section of the docs describing Universal Auth (https://infisical.com/docs/documentation/platform/identities/universal-auth), even though it's about a machine identity (i.e. supposed to be used by applications), it says that

To access the Infisical API as the identity, you should first perform a login operation that is to exchange the Client ID and Client Secret of the identity for an access token by making a request to the /api/v1/auth/universal-auth/login endpoint.

Does this hold for Docker setups? I don't understand why it's not working. Should I make a login request somehow?

[betterthanever2]

@dangtony98 do you have any insight into how this is supposed to work?

[victorshevtsov]

It looks like the issue is similar to #2407 and the CLI does not respect --domain flag and INFISICAL_API_URL env var for self-hosted instances. I don't see any requests in NGNX logs when using Machine Identity approach. The CLI just shows the error:

It looks you have not yet connected this project to Infisical

The bad thing is that the approach is marked as Recommended but it looks like it doesn't work.

Self-hosted Infisical: v0.83.0-postgres Infisical CLI: tried with 0.31.1, 0.31.0 and 0.30.0

[betterthanever2]

The bad thing is that the approach is marked as Recommended but it looks like it doesn't work.

Absolutely. That is what keeps bothering me. Makes me uncertain in the future of Infisical.