Page MenuHomeSoftware Heritage

Add a CLI tool to ease the retrieval of authentication tokens
Closed, ResolvedPublic

Description

We should provide a CLI tool allowing users to retrieve their OpenID Connect access and refresh tokens easily. For instance:

$ swh authenticate -u <username> -p <password>
<JSON dump of tokens>

This tool should only send requests to the Keycloak server as we do not want credentials to transit in any swh web applications.

As the main usage of that tool will be to generate bearer tokens to authenticate an user querying the Software Heritage Web API,
providing OIDC offline access seems the best option here.

With offline access, OIDC refresh token has a much longer expiration time (60 days by default in Keycloak with 30 days idle time,
can be easily changed). It means the refresh token can be stored by an user and reused to get a new access token without having
to login again, which is pretty convenient for web api clients.

Revisions and Commits

Event Timeline

anlambert triaged this task as Normal priority.Feb 4 2020, 6:37 PM
anlambert created this task.
vlorentz edited projects, added Web app; removed Restricted Project.Feb 22 2020, 6:07 PM
anlambert changed the task status from Open to Work in Progress.Mar 18 2020, 7:06 PM
anlambert updated the task description. (Show Details)
anlambert updated the task description. (Show Details)Mar 20 2020, 3:19 PM
zack added a subscriber: zack.Mar 20 2020, 3:24 PM

Now that it exists, do you want this to be part of the swh web client?

As a nitpick, it's usually best not to pass passwords via argv by default, but rather ask them interactively (so that they do not appear in ps output, for instance).

Now that it exists, do you want this to be part of the swh web client?

Yes I intend to add that CLI tool in swh-web-client (I am currently writing the tests).

I will also create another diff to add authentication management in WebAPIClient class,
You will simply need to provide a refresh token (with long term expiration, amount of days to define)
retrieved with the CLI tool and access token renewal will be automatically handled.

As a nitpick, it's usually best not to pass passwords via argv by default, but rather ask them interactively (so that they do not appear in ps output, for instance).

Of course, I used getpass module in my implementation.