Feature #3920
REST API for authentication
| Status: | Closed | Start: | 2009-09-25 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | Eric Davis | % Done: | 100% |
|
| Category: | - | |||
| Target version: | 0.9.0 | |||
| Resolution: | Fixed |
Description
As part of the REST API (#296), there should be a way to authenticating users. I'm planning to implement a few different ways to authenticate for the API:
- HTTP Basic Authentication - http://username:password@www.redmine.org/issues
- HTTP Basic Authentication with an API token, similar to the Atom feeds - http://AB458D45B2:X@www.redmine.org/issues
- API token via the url parameters - http://www.redmine.org/issues?api_key=AB458D45B2
Thoughts? Additional ideas?
Related issues
| blocks Feature #1214: REST API for Issues | Closed | 2008-05-08 | ||
| blocks Feature #296: REST API | Assigned |
Associated revisions
Added an API token for each User to use when making API requests. (#3920)
The API key will be displayed on My Account page with a link to reset or
generate a new one. All existing users will have a token generated by the
migration.
Allow authenticating with an API token via XML or JSON. (#3920)
Added support for HTTP Basic access to the API. (#3920)
A user can authenticate using either their:
- username/password
- api-key/random
Added an Admin setting to enable/disable the REST web service. (#3920)
History
Updated by Katsunori Kanda 9 months ago
Hello,
how about WSSE that is used with some popular web services like Flickr do you think? I think it's better choice, if you assume the connection without ssl.
And also I found a good article about http authentication: HTTP Authentication and Feed Security
Updated by Holger Winkelmann 9 months ago
what about API login returns a session token which will be used by further requests ?
Updated by Katsunori Kanda 9 months ago
Holger Winkelmann wrote:
what about API login returns a session token which will be used by further requests ?
We can choose the suitable way like using cookie or request parameters as same as the normal web applications do, but we must decide whether our API is stateless or not. This dicision is indipendent of choosing the way of authentication.
BTW, I make a mistake. I wrote Flick API used WSSE, but it didn't use. Flickr API authentication is original.
Updated by Pierre Gambarotto 8 months ago
Eric Davis wrote:
- HTTP Basic Authentication with an API token, similar to the Atom feeds - http://AB458D45B2:X@www.redmine.org/issues
this one has my preference. This way you can distribute an access without giving away your favorite password.
This implies for an authenticated user a way to (re)generate a token. It should be on the account page.
Updated by Eric Davis 7 months ago
Holger Winkelmann wrote:
what about API login returns a session token which will be used by further requests ?
I don't like that approach. It would require the server to keep the state of the requests and with the latest Redmine, sessions are stored on the client (encrypted cookies).
Pierre Gambarotto wrote:
This implies for an authenticated user a way to (re)generate a token. It should be on the account page.
Correct.
Updated by Eric Davis 7 months ago
- % Done changed from 0 to 50
I've got the token part of this implemented in a private branch. With it, users will have an API token they can use to access Redmine just like a login. I've tested it on the News module and it's working properly for both XML and JSON formats (News already accepts key authentications for the atom feed so it wasn't difficult to add new formats).
curl http://localhost:3000/news.xml?key=01fc3e3832e32ae8c12bf0c3b0819ca4a5972825
<?xml version="1.0" encoding="UTF-8"?>
<news type="array">
<news>
<author-id type="integer">1</author-id>
<comments-count type="integer">0</comments-count>
<created-on type="datetime">2009-12-20T16:31:09-08:00</created-on>
<description>testttsstst</description>
<id type="integer">1</id>
<project-id type="integer">36</project-id>
<summary></summary>
<title>Test</title>
</news>
</news>
curl http://localhost:3000/news.json?key=01fc3e3832e32ae8c12bf0c3b0819ca4a5972825
[{"title":"Test","created_on":"2009/12/20 16:31:09 -0800","project_id":36,"id":1,"summary":"","description":"testttsstst","comments_count":0,"author_id":1}]
I'm not sure if the HTTP Basic authentication will be able to work transparently. Would it be a worthwhile addition or should I just stick with the key option like the rest of Redmine? (e.g. ATOM feeds, reposman.rb) I can always add the HTTP Basic in later if someone can help find an easy way to add it.
Updated by Eric Davis 7 months ago
Nevermind, we will need HTTP Basic if we want to work with ActiveResource.
Updated by Eric Davis 7 months ago
- Status changed from Assigned to Closed
- % Done changed from 50 to 100
- Resolution set to Fixed
This should be considered experimental until further testing.
I added a REST API for authentication with support for three styles of sending the credentials:
- Key parameter - each user has an API token they can manage like the RSS tokens.
- Username and password via HTTP Basic
- Key via HTTP Basic
I'll document how to use the API later, but here are some example calls to my server running on port 3000 at "localhost"
# Key parameter curl http://localhost:3000/news.xml?key=01fc3e3832e32ae8c12bf0c3b0819ca4a5972825 curl http://localhost:3000/news.json?key=01fc3e3832e32ae8c12bf0c3b0819ca4a5972825 # Username and password via HTTP Basic curl "http://admin:test@localhost:3000/news.json" curl "http://admin:test@localhost:3000/news.xml" # Key via HTTP Basic curl "http://01fc3e3832e32ae8c12bf0c3b0819ca4a5972825:@localhost/news.json" curl "http://01fc3e3832e32ae8c12bf0c3b0819ca4a5972825:@localhost/news.xml" curl "http://01fc3e3832e32ae8c12bf0c3b0819ca4a5972825:THE_PASSWORD_FIELD_CAN_BE_ANYTHING@localhost/news.json"
I also added the REST API to News (both XML and JSON). News was very simple and should be a good test of the system. The REST API can be enabled and disabled in the Redmine settings (disabled by default).
Updated by Jean-Philippe Lang 7 months ago
- not needed since keys will be created on the fly
- models should be used as less as possible in migrations
- took more than 10 minutes on my redmine database
Thanks for the feature.
Updated by Eric Davis 7 months ago
Jean-Philippe Lang wrote:
- took more than 10 minutes on my redmine database
Good point, thanks for the extra cleanup work on this. I'm going to try to write something small to demonstrate how to use it and see if there is anything else I missed.