Feature request: temporary API auth token

[racompton]

Please implement a feature where a user can authenticate to the API using user/pass and then obtain a temporary auth token to use for that session. This will allow centralized authentication for API calls instead of using the static auth token defined in the config file.

[ximon18]

This I believe relates to this point from the Krill developer docs:

NOTE: Login with distinct identities is only supported via Lagosta. The /auth/ HTTP endpoints involved are not documented as part of the Krill REST API. Technically a client could POST to them to login and get back a bearer token which could then be used with the REST API, either directly or via krillc, but it would be cumbersome to do. Proper support for clients with limited interaction capabilities to authenticate with distinct identities should probably be implemented in terms of the OAuth 2.0 Device Authorization Grant.

[ximon18]

@racompton: PRs are welcome!

[ximon18]

Related links:

• https://datatracker.ietf.org/doc/html/rfc8628
• https://oauth.net/2/device-flow/
• https://docs.rs/oauth2/latest/oauth2/#device-code-flow

[ximon18]

Note that Krill already supports authentication based on a temporary token, there's just no easy way to use it except via the web UI. Any work done in this area should not just affect the Krill API but should also update krillc to support authentication with user specific credentials or via an OIDC login server instead of using the master API token. The benefit of using the device flow is that it doesn't require that the user give Krill their credentials, instead they give them to the OIDC server. Passing username/password to Krill itself should be avoided where possible.

[timbru]

@racompton If you are considering working on a PR then please talk to us offline so that we can agree on the design level.