Closed chrismatix closed 3 years ago
maybe we should adopt https://tools.ietf.org/html/rfc6750 for Bearer token usage and https://tools.ietf.org/html/rfc7523 for JWT bearer token usage instead of using a custom header for authorization?
We should probably provide a UI for this? I think short term the easiest way out is a CLI command. But I'd also love to see this in the UI
@steffh Yes we can use rfc6750 for sure. Practically it would only mean that both the jwt and the access token get passed via the bearer auth header. rfc7523 seems unrelated unless the idea is to introduce OAuth2.0. In either case, I would move that discussion to a different ticket perhaps in the cloud repository.
@lucapette I agree. We could create a follow-up ui ticket once we remove the discussion label on this one.
@lucapette if it's ok with you I would track the UI work on a follow-up ticket with the requirements that users can set an API key in their airy.yaml
and that we check for it on the Auth bearer header.
Yes @chrismatix - I agree, also the UI for the webhooks is really undercomplex still. If it's no / almost no work to bring the old "webhook UI", we can do that of course.
In the long run we'll rather need an app management / app marketplace kind of experience there, so a place where people can manage multiple integrations instead of just one webhook.
Current state To authenticate with APIs users have to obtain a short-lived JWT token (docs), which is intended for UI use cases. However for automation use cases it is common to issue a permanent API key.
We already have a value for API keys on the webhook data model and APIs, but so far you cannot do anything with the key.
Desired state Users can generate and use an API key for interacting with all APIs.
Implementation proposal Since it's unfeasible that we can have a store for webhooks everywhere, we should remove that concept from webhooks. For a first version, it is perhaps best if we do not store the API key at all and instead generate it during bootstrapping and add it as a default variable to the
airy.yaml
file.Then users can set the API key on the
Authorization: Bearer $TOKEN
header which will be checked as in the authenticator in theJwtAuthenticationFilter
in thespring-auth
package using an environment variable from a config map.