General questions about REST API access-keys

By: tomas kobza user 02 Jul 2020 at 2:21 a.m. CDT

2 Responses
tomas kobza gravatar
Hi Gluu support. I have a more general question about the Gluu solution. our system consists of multiple APIs and FE GUI. One of our security goals is to protect the mentioned APIs with access keys. That simply means - admin user should have a privilege to generate an API access key for specific user. This user can have 1 or more API access keys which he/she will use for access 1 or more APIs. I've studied the docs and was not able to find out any part of the solution which will be able to cover this requirement. Please, are API access keys supported by Gluu, or can I use some of the Gluu functionality to generate API access keys? If yes, can you give me a hint how? Thank you very much in advance. Tomas
Ubuntu 20.04
closed

Answers

By Michael Schwartz Account Admin 06 Jul 2020 at 10:30 p.m. CDT

Copy
Michael Schwartz gravatar
Static access keys is not good for security. According to RFC 6749 access tokens should be short lived--one to five minutes. So issuing a non-expiring access token is basically a security anti-pattern. If possible, I would avoid this pattern. How hard is it to ask developers to get a token at the token endpoint when they need to call an API? It's one round trip... There is always a workaround in Gluu, but as a first step, I'd say throw this back at your security team, and ask them to seriously consider the implications.

By Viktor Danyliuk user 15 Jul 2020 at 11:49 a.m. CDT

Copy
Viktor Danyliuk gravatar
Hi Michael, It feels like I have a similar need. Basically, I want to allow users to create scoped access tokens to access my API programmatically. For example, githab allows to create `Personal Access Tokens` at `Settings > Developer settings > Personal access tokens` ([link](https://github.com/settings/tokens)). I didn't find such options in gluu. Did I miss it? Could you point me into a right direction if "Personal Access Tokens" approach is deprecated? UPD: just created a new ticket for it https://support.gluu.org/authentication/8593/personal-access-tokens/

Post an answer