By: Viktor Danyliuk user 15 Jul 2020 at 12:39 p.m. CDT

4 Responses
Viktor Danyliuk gravatar
Hi Gluu support, I'm looking forward to use Gluu in our system. One of use-cases that I would like to be supported is to allow users to create some kind of scoped access tokens to access our API programmatically. For example, githab allows to create `Personal Access Tokens` at `Settings > Developer settings > Personal access tokens`. I didn't find such options in gluu and see no way to easily achieve it. Did I miss it? Could you point me into a right direction? Thank you very much in advance, Viktor

By Michael Schwartz staff 19 Jul 2020 at 7:17 p.m. CDT

Michael Schwartz gravatar
Github is providing a way for a person to get an access token, and deliver it to an app. You could do something like this, but it would take some integration. First, there are a few things to consider... access tokens are short lived. If you use an access token, you'd have to make it long lived. And for this client, set a long `Access Token Lifetime`. Maybe you want to use a refresh token here? Definitely possible... but you need to think it through.

By Viktor Danyliuk user 20 Jul 2020 at 5:26 a.m. CDT

Viktor Danyliuk gravatar
Ok, so it's not something gluu provides out of the box. I have walked through docs and didn't find an API to get all user's tokens (it's required to allow a user to manage tokens). So, as a workaround, I imagine a following way to achieve the desired feature: 1. Instead of a new Personal Access Token, create a new "sub" user with a group related to the original user (e.g. user1_token_user_group). 2. So, the original user will be able to fetch users filtered by the related group, so the fetched "sub" users might be considered as tokens instead. 3. When a "sub" user is created, show it's access token that is generated for a selected lifetime. There will be no way to generate access token again. 4. To revoke a Personal Access Token we actually need to remove a "sub" user. 5. I will need to check each user if it belongs to "token_user_group" and use username of the original user instead. It seems to be achievable with gluu, but would be nice to have it out of the box Thank you for reply.

By Michael Schwartz staff 20 Jul 2020 at 6:25 a.m. CDT

Michael Schwartz gravatar
I think it is supported out of the box... it's just an OAuth access token. Or maybe your expectations of "out of the box" are really high... :-) If you were to build a web page that required a token with a certain scope, and don't enable pre-authorization... and then print the token in your web page. The app can use the token introspection endpoint... if you need to customize the content of the token, you can use the introspection interception script. I have published a video on RBAC with OAuth that might give you some ideas.

By Viktor Danyliuk user 20 Jul 2020 at 6:42 a.m. CDT

Viktor Danyliuk gravatar
Yeah,right. I feel like I know enough to try to integrate with gluu. Thank you.