butonic
commented
1 month ago Are app tokens a production ready product feature nowadays?
Partly. Enabling external services to use the graph api requires a token that does not need human interaction. @tbsbdr @dragotin how do we continue with this? @wkloucek is there a way to mark a feature as experimental?
And if so, what's the reasoning behind this:
For security reasons, bearer tokens can only be generated by the admin on the CLI, token generation via the web api is not enabled.
Why would we do a hardcoded change of the oCIS product default in AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN ?
I'll revert that
Why does this service need another PVC? Even if it was to store data, shouldn't it use either the micro store interface or the storage-system storage!?
🤔 hm, good point. The only implementation currently writes to disk. I'll look into a store backed implementation.
wkloucek
micbar
Fixes #707
This PR adds a minimal app tokens feature:
External services can use the bearer tokens to make requests on external endpoints, eg. to create storage spaces and manage space membership.
For security reasons, bearer tokens can only be generated by the admin on the CLI, token generation via the web api is not enabled.
Use this only for services under your control. The generated tokens are not scoped and can execute any actions permitted by the associated user.
Allow users to generate app tokens for other clients is tracked in https://github.com/owncloud/ocis/issues/7711