Page MenuHomeSoftware Heritage
Create Task
Maniphest T2268

Add a CLI tool to ease the retrieval of authentication tokens
Closed, MigratedEdits Locked
Actions

Description

We should provide a CLI tool allowing users to retrieve their OpenID Connect access and refresh tokens easily. For instance:

$ swh authenticate -u <username> -p <password>
<JSON dump of tokens>

This tool should only send requests to the Keycloak server as we do not want credentials to transit in any swh web applications.

As the main usage of that tool will be to generate bearer tokens to authenticate an user querying the Software Heritage Web API,
providing OIDC offline access seems the best option here.

With offline access, OIDC refresh token has a much longer expiration time (60 days by default in Keycloak with 30 days idle time,
can be easily changed). It means the refresh token can be stored by an user and reused to get a new access token without having
to login again, which is pretty convenient for web api clients.

Revisions and Commits

rDWCLI Web client
D2861rDWCLI842b7bc7ca92 cli: Add auth command group

Related Objects
Search...

Event Timeline

anlambert triaged this task as Normal priority.Feb 4 2020, 6:37 PM
anlambert created this task.
vlorentz edited projects, added Web app; removed Roadmap 2020.Feb 22 2020, 6:07 PM
anlambert changed the task status from Open to Work in Progress.Mar 18 2020, 7:06 PM
anlambert updated the task description. (Show Details)
anlambert updated the task description. (Show Details)Mar 20 2020, 3:19 PM
zack added a subscriber: zack.Mar 20 2020, 3:24 PM

Now that it exists, do you want this to be part of the swh web client?

As a nitpick, it's usually best not to pass passwords via argv by default, but rather ask them interactively (so that they do not appear in ps output, for instance).

anlambert added a comment.Mar 20 2020, 3:31 PM

Now that it exists, do you want this to be part of the swh web client?

Yes I intend to add that CLI tool in swh-web-client (I am currently writing the tests).

I will also create another diff to add authentication management in WebAPIClient class,
You will simply need to provide a refresh token (with long term expiration, amount of days to define)
retrieved with the CLI tool and access token renewal will be automatically handled.

As a nitpick, it's usually best not to pass passwords via argv by default, but rather ask them interactively (so that they do not appear in ps output, for instance).

Of course, I used getpass module in my implementation.

anlambert closed this task as Resolved by committing rDWCLI842b7bc7ca92: cli: Add auth command group.Mar 24 2020, 12:08 PM
anlambert added a commit: rDWCLI842b7bc7ca92: cli: Add auth command group.
gitlab-migration changed the task status from Resolved to Migrated.Jan 8 2023, 4:29 PM
gitlab-migration claimed this task.
gitlab-migration added a subscriber: gitlab-migration.

This task has been migrated to GitLab.

About · Developer information · Legal