Organization API Tokens Take 2

[mrowles]

Describe the solution you'd like We would love to generate, manage and use Organization API Tokens rather than our own User API Tokens since we do a lot of AppCenter CLI work through our CI/CD.

App Tokens are not enough, as we use the token to build apps dynamically based off env etc.

Describe alternatives you've considered We have a generic user account atm who has access to the organization, but there are some security concerns.

Additional context We hopefully can use this via the CLI (request raised here): microsoft/appcenter-cli#1030 (comment)

[mrowles]

Feature raised here last year, but was auto-closed and suggested I re-raise this if we still want it: https://github.com/microsoft/appcenter/issues/1971

[wisdeom]

Thanks for your feedback. With the nature of Org API token, we'll have to evaluate the feature from different angles such as security aspects and RBAC permissions, etc. We'll look into this idea, but, unfortunately, can't guarantee to grab this work any time soon. Appreciate your feedback once again. We'll leave this open for the time being!

[mrowles]

It was actually a feature that auto closed already.

It’s generating API token to deploy apps that are apart of the same org. Isn’t it best practice? Right now we have to generate these for a single user, which is a single point of failure. If anything, there is more security concerns with user accounts, even if just generic accounts.

More than happy to help how we can, just keep us posted please :)

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[mrowles]

I still want this, please.

[slarti-b]

My issue on the app-center-cli github has been merged here.

I'm not fully convinced that my request is exactly the same as this. It's similar, but is more limited. I do not necessarily want org-level tokens (although that would be better than user tokens for automated usage). I see the advantage in them for other use cases, but it's not my first choice of solution here. My use case is this:

• I have one or more apps on my organisation.
• I want to define some groups (e.g. "Internal Testers") at the org level, rather than repeating the setup for each app and having to keep them in sync.
• For each app I want to automate distribution, including being able to distribute to an org-level group if it is already connected to the app.

The last point is key - currently it fails to distribute to org-level groups if I use an app token, so I have to use a user token. While I can certainly see use-cases for org-level tokens, I actually actively want to have a token that is restricted to just that app! I would use an org token over a user token, if that's the solution proposed, but in keeping with the "minimal privileges" principles I'd prefer to stick with app tokens. I think it's wrong that a CI system simply automating a deployment has to run as some individual user, when it isn't - and also then it has to have much more privileges than it should (unless you do a lot of admin with users per app in some way).

So my request is simpler: if the distribution group is connected to the app already, then you can distribute to it with an app token, whatever level the group is defined at. This seems a much simpler thing: it seems like a permissions check that needs updating rather than a whole new type of token.

To be honest, I really feel that this is a bug: the admin has connected the distribution group to the app so I should be able to distribute the app to that group with an app token. But I understand this was a deliberate limitation, so I raised it as a feature request.

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[slarti-b]

I still want at least the minimal scope in my comment above. This should really be considered as a security-related bug, in my opinion! The current limitations force us to use an over-privileged user for our CI system. However, given it was a design choice to do it this way it's here as a feature request.

@wisdeom: Any news? You merged my request here, I fully understand why (it's similar) but I do feel the scope somewhat exploded in the process :)

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[slarti-b]

Any response? (Not wanting to be awkward, but trying to keep the issue alive).

The current appcenter CLI is not compatible with a best practice security approach and CI system. This seems like a fairly important feature. Yes, it works - but only by using an over-privileged user in the CI system, which is not best practice.

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[slarti-b]

Ping to keep alive

[joshuakeel]

I'm a new App Center user, and just ran into this issue over the past few days. So just adding my +1 that this is something that blocked my progress and caused confusion. Would love to see this addressed in some way.

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[slarti-b]

Ping to keep alive again!

[rivaros]

The issue is that to manage group distribution from CI you need to use user token. User(person) is not something to use with CI, because person can leave organization, and then all his tokens become invalid. Why not allow app tokens to distribute releases into groups which only contain that specific app, or use some organization-level token approach?

[slarti-b]

I'd be happy to have to allow-list the apps and groups per token - so that someone has said "this token can distribute this app to this group" before it worked. But as said, a CI system should be able to distribute test builds and a CI system is not a person. It's really a very fundamental use of a CI system we are talking about here

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[ahudelson]

People still need Organizational API Tokens since Apple forced us all into this situation and now all our CI/CD pipelines and distribution integrations are suffering as a result.

[slarti-b]

Seriously MS? 18 months later and not even a comment let alone support for proper CI processes, which is fundamentally what this is about.

Running CI processes as (natural person) users (especially over-privileged ones) breaks the security model. It's a very basic gap and, since it's security related, an important one despite the "workaround" of using personal tokens.

ping @wisdeom since you seemed to put the one comment from MS on this issue so far. Any update?

[microsoft-github-policy-service[bot]]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[mrowles]

Bump

[slarti-b]

I re-iterate my earlier comment - except it's now 22 months instead of 18!

[microsoft-github-policy-service[bot]]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[microsoft-github-policy-service[bot]]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[jonas-ms]

Still relevant and desired feature, bump

[joelain]

Still waiting for this feature also...

[Nailik]

Probably necessary to remove AppCenter and use a better distribution tool. It's hilarious that this is an issue since 2 Years yet so important.

[junlinz2]

Bump for this feature. We'd like to have an organisation level API token for use cases such as shields.io without creating an AppCenter token that's tied to any particular user, or creating a token for each different app, build type and platform.

[KimmoHop]

• I have one or more apps on my organisation.
• I want to define some groups (e.g. "Internal Testers") at the org level, rather than repeating the setup for each app and having to keep them in sync.
• For each app I want to automate distribution, including being able to distribute to an org-level group if it is already connected to the app.

This is really awkward behavior. When group is tied to app, it should be visible and usable to the app.

@msftgits @microsoftopensource

[sanduluca]

We are also interested in App API Token to upload builds to codepush. We dont want specific user to have an api token.

[Oleksandr-R-1]

Anybody here? This feature is really important, would love to have it.

[katiedotson]

Another vote for this feature.

[mrowles]

Going to assume MS don't want to dedicate time to this because code push is kind of against App Store rules and they don't know how long this magic will be permitted/ignored?