picman
commented
3 months ago I think that you should use Redmine standard API access key instead.
Open col-panic opened 5 months ago
picman
commented
3 months ago I think that you should use Redmine standard API access key instead.
col-panic
commented
3 months ago Technically ok. But not as secure.
Why?
col-panic
commented
1 month ago Consider the following scenario. I have only openid accounts enabled, local passwords are not really set. Now I have an external script, that wants to use the Redmine API to perform some tasks.
At the moment the only possible approach is for the user to log-in via the browser and copy the API access key and paste it into my external tool. (Generally the time those redmine api tokens last is very bad. One should introduce a regular rotation of this key.)
We should at least discuss an endpoint to gather the current redmine api key by providing a valid access token for the configured openid identity provider.
col-panic
commented
1 month ago I would propose, that in addition to the authentication methods described in https://www.redmine.org/projects/redmine/wiki/rest_api#Authentication this plugin should "listen" for HTTP Header Authentication = Bearer xyyxyx.... and validate it the provided token against the given openid endpoint and/or if it is of type JWT like keycloak proposes, validates the token using the IdPs public key.
col-panic
commented
1 month ago Interesting in this aspect https://www.redmine.org/issues/41220
col-panic
commented
1 week ago I have a very interesting example, which is how I think it should work in redmine too, the following NGINX location configuration protects the calls by using the JWT access module:
location /protected {
# https://github.com/kjdev/nginx-auth-jwt
auth_jwt "closed site";
auth_jwt_key_request /jwks_uri;
set $expected_role '["protected-access"]';
auth_jwt_require_claim realm_access.roles intersect $expected_role;
}If I post something here, than only if the JWT Token is valid, and has the realm_access.role "protected-access" then it will be allowed.
This plugin should enable API calls to behave like this. It is far more secure to use a short-lived token to perform API accesses than the everlasting api key used by default in redmine. There should be even an option to disallow the api token.
These are the current authentication methods https://www.redmine.org/projects/redmine/wiki/rest_api#Authentication for the redmine api.
What is missing here, is the Auth Type "Bearer Token", which may then be an oauth2 access-token.
It might be a better approach, however, to use a JWT based validation here (like e.g. the solr jwt auth https://solr.apache.org/guide/solr/latest/deployment-guide/jwt-authentication-plugin.html) (REF https://www.redmine.org/issues/25140)