Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to Bugzilla API Keys for auth #19

Open
leif81 opened this issue Sep 23, 2015 · 6 comments
Open

Switch to Bugzilla API Keys for auth #19

leif81 opened this issue Sep 23, 2015 · 6 comments

Comments

@leif81
Copy link
Owner

leif81 commented Sep 23, 2015

We currently use Bugzilla tokens for authentication, but there are a couple problems with them:

  • they expire after 24hrs and we don't handle that well yet, but we could
  • they are deprecated and going away "in the version after Bugzilla 5.0."

The best alternative looks like Bugzilla API Keys.

An API Key can be created through the Bugzilla user prefs page (API Keys tab) and then pasted into our app (instead of providing a user and password) and never expire until revoked.

http://bugzilla.readthedocs.org/en/latest/api/core/v1/general.html#authentication

The even slicker way of using API Keys is something called "authentication deligation". The user would click the Login button in our app, it would redirect them to a sign-in page on the Bugzilla instance and then return them back to our app when successfully authenticated. However we're unsure how to enable that auth.cgi page in the example so for now this step seems a reach.

http://bugzilla.readthedocs.org/en/latest/integrating/auth-delegation.html#auth-delegation

@leif81
Copy link
Owner Author

leif81 commented Sep 23, 2015

However we're unsure how to enable that auth.cgi page in the example so for now this step seems a reach.

Looks like this feature does not exist in 5.0, it'll be in 5.1.

leif81 added a commit that referenced this issue Sep 23, 2015
@leif81
Copy link
Owner Author

leif81 commented Sep 23, 2015

I've got a WIP prototype implementation I tried out on a branch here. I'm unclear how to get the users id to populate the "whoami" field though. I posted a question in the mozilla.dev.apps.bugzilla forums.

https://groups.google.com/forum/#!topic/mozilla.dev.apps.bugzilla/MMAs_SSF6ag

@leif81
Copy link
Owner Author

leif81 commented Sep 23, 2015

Well, I got my answer back. Nothing exists yet, but a new REST API call is in development and ironically enough will be called whoami.

@leif81
Copy link
Owner Author

leif81 commented Oct 2, 2016

Nothing exists yet, but a new REST API call is in development and ironically enough will be called whoami.

https://bugzilla.mozilla.org/show_bug.cgi?id=1307003

Will appear in Bugzilla 6.0.

@leif81 leif81 added the upstream label Jan 9, 2017
@leif81
Copy link
Owner Author

leif81 commented Jan 31, 2017

I noticed today the bugzilla.mozilla.org site doesn't accept token auth. I tried logging in via our demo URL and got an error:

"API key authentication is required."

@gizzmojr
Copy link
Collaborator

Well our server already has the API ability, and the way we implemented token, should be simple refactor.
Do we want to support both token and API?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants