Project

General

Profile

Actions

Feature #25140

open

[API] authentication with JSON Web Tokens

Added by Vincent Robert about 7 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Currently, the API only accepts two ways to authenticate users:
- HTTP Basic authentication (logins and passwords are sent with each request)
- API key

We could secure this process and make it easier to use.
Allowing JWT (JSON web token) authentication could be a great improvement.

Actions #1

Updated by Serguei Okladnikov about 7 years ago

Vincent Robert wrote:

We could secure this process and make it easier to use.

Whoud you like to secure api calls?
Or You want to rewrite front panel working process too?

Actions #2

Updated by Vincent Robert about 7 years ago

Hi Serguei,
I am just talking about API calls here. I could work on this feature, but I would like to know the opinion of core contributors first.
Thanks

Actions #3

Updated by Jaap de Haan almost 6 years ago

Good point. I would go so far and also allow this not only for API calls but also for normal UI as well (enabling SSO use cases via JWT for example)

Actions #4

Updated by Enziin System over 5 years ago

I think JWT is necessary.

Using the API key will require more actions, which is to force the user to create a key, then copy the API key into their application.

JWT authentication is simply using username/password

When we embed Redmine API into the mobile app, then JWT must be used.

If you use Redmine core in multi-million users application, then each request from the client on the mobile or the desktop and it will cause Redmine to query the Token table in the DB.

It is not effective and it will overload.

Actions

Also available in: Atom PDF