Currently we have user/password or OAuth to authenticate to the ceph-api, the ask is to have a long-lived api keys that can be scoped by permissions.
Currently our oauth access token / JWT has an expiry
auth:
accessTokenLifespan: 1m
refreshTokenLifespan: 1h
Recap on auth:
Before doing anything, the user needs to be authenticated. We currently do that by getting an access token / JWT
curl -X POST -u "ceph-api:yoursecretpass" \
-d "grant_type=password&username=admin&password=yoursecretpass" \
http://localhost:9969/api/oauth/token
{
"access_token": "<jwt>",
"expires_in": 60,
"refresh_token": "<refresh-token>",
"refresh_expires_in": 3600,
"token_type": "bearer"
}
For every authenticated call we pass Authorization: Bearer <jwt>. This is analogous to being logged into a dashboard and the browser caches the JWT for future requests. (we use the refresh token to get a new jwt token if it expires)
To create API keys we'd need an endpoint and pass the token.
POST /api/v1/auth/api-keys
Authorization: Bearer <jwt>
Content-Type: application/json
Body:
{
"name": "my-special-api-key",
"description": "used by my robot"
}
response:
{
"key": {
"id": "ak_...",
"name": "my-special-api-key",
"enabled": true,
"created_by": "user:admin"
},
"token": "capi_v1_ak_....<secret>"
}
token is the API key and should only be displayed once
Why do we need API keys?
- I need someway to authenticate with a token that is long-lived (e.g 1 month/1 year/never) and scope the token with roles. Something like PAT tokens in github.
- access_token and refresh_token are cached in fosite's in-memory store, these tokens get invalidated (for good reason) since this OAuth model fits a dashboard's usecase. Log back in if you need a new refresh_token
Some suggestions for endpoints
POST /api/v1/auth/api-keys
DELETE /api/v1/auth/api-keys/{key_id}
GET /api/v1/auth/whoami
ideally these only return some type of metadata and not the actual keys:
GET /api/v1/auth/api-keys
GET /api/v1/auth/api-keys/{key_id}
some useful metadata we can store with the api-keys
- id
- name
- description
- cluster_id
- secret_hash
- enabled
- revoked_at
- created_at
- created_by
- expires_at
- last_used_at
Currently we have user/password or OAuth to authenticate to the ceph-api, the ask is to have a long-lived api keys that can be scoped by permissions.
Currently our oauth access token / JWT has an expiry
Recap on auth:
Before doing anything, the user needs to be authenticated. We currently do that by getting an access token / JWT
For every authenticated call we pass
Authorization: Bearer <jwt>. This is analogous to being logged into a dashboard and the browser caches the JWT for future requests. (we use the refresh token to get a new jwt token if it expires)To create API keys we'd need an endpoint and pass the token.
response:
token is the API key and should only be displayed once
Why do we need API keys?
Some suggestions for endpoints
POST /api/v1/auth/api-keys
DELETE /api/v1/auth/api-keys/{key_id}
GET /api/v1/auth/whoami
ideally these only return some type of metadata and not the actual keys:
GET /api/v1/auth/api-keys
GET /api/v1/auth/api-keys/{key_id}
some useful metadata we can store with the api-keys