• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Implementing GitHub-like "Personal Access Tokens"

Scheduled Pinned Locked Moved Solved
Q&A
2
7
1.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mou
    last edited by 22 Nov 2023, 22:13

    Hello, everyone!

    I'm reaching out to the community for insights on a scenario that I initially thought was common, but I'm struggling to find examples or guides. Perhaps my assumptions were off, or I might not be using the right search terms.

    Here's our situation: We're in the process of meticulously designing a robust Authorization and API framework using Entity Framework for our customers. However, this is a time-consuming process, and we're concurrently preparing to launch an MVP for our product.

    To add immediate value for our users, especially in a dev/infra SaaS context, we're considering implementing a feature for users to generate long-lived access tokens. These tokens would be used in their scripts and automation tasks. The most notable implementation of such a feature can be found in GitHub.

    The envisioned user flow is as follows:

    1. The user navigates to their profile.
    2. They access a specific section dedicated to API integration.
    3. Upon clicking "Generate Personal Access Token," they see a token that can be easily copied.
    4. The user can then use this token for API interactions, with actions being internally authorized via FusionAuth. Additionally, there's an option to revoke or delete the token as needed.

    Our rationale behind this approach is to establish a straightforward Proof of Concept (PoC) for API authorization. This allows us to hit the market sooner, while gradually evolving our API authorization infrastructure to be more sophisticated over time.

    I'm keen to know if anyone has implemented a similar feature using FusionAuth. Any examples, recipes, or best practices would be immensely helpful.

    Thanks in advance for your insights!

    M 1 Reply Last reply 27 Nov 2023, 21:17 Reply Quote 0
    • M
      mark.robustelli @mou
      last edited by 27 Nov 2023, 21:17

      @mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

      M 1 Reply Last reply 28 Nov 2023, 13:35 Reply Quote 2
      • M
        mou @mark.robustelli
        last edited by 28 Nov 2023, 13:35

        @mark-robustelli Thank you for your answer. Indeed, we are considering this option as a last resort. Because Application Authentication tokens are "replacement" for passwords. It is not enough to provide only this token to identify the user, and login identifier should be provided alongside. It is somehow different from reference GitHub implementation.

        M 1 Reply Last reply 28 Nov 2023, 15:20 Reply Quote 0
        • M
          mark.robustelli @mou
          last edited by mark.robustelli 28 Nov 2023, 15:20

          @mou Did you get to the bottom of that page? (Enabling Authentication Tokens and Generating Authentication Tokens). Those are per user. Is there a reason this won't work?

          I did see this note that might help your use case.

          Note that you must provide a valid API key unless you’ve also unchecked the Require an API key setting in the Login API Settings.

          M 1 Reply Last reply 28 Nov 2023, 16:41 Reply Quote 0
          • M
            mou @mark.robustelli
            last edited by 28 Nov 2023, 16:41

            @mark-robustelli yes. We even tested it. However, the ideal case for end users would be to provide a single token for API calls. But passing Authentication Token to Login API requires to specifying user login (in our case, email). Here is an example request from documentation.

            {
  "loginId": "example@fusionauth.io",
  "password": "52h3h9fsjOn2Eh0+NBT3Kf6NcWFHbJ7oPD0sFsHMQps=",
  "applicationId": "10000000-0000-0002-0000-000000000001",
  "ipAddress": "192.168.1.42"
}
            M 1 Reply Last reply 28 Nov 2023, 21:22 Reply Quote 0
            • M
              mark.robustelli @mou
              last edited by 28 Nov 2023, 21:22

              @mou I don't think there is anything that would allow you to create a personal access token as you are describing it. You may be about to "workaround" that by managing the token a bit. Since the user has to login to get the token, you could get the personal token and embed the user name. i.e. on the getoken your code could get the token for the user and then append the email before you sent it to the client. It would look something like:

              user:john@example.com

              Get Token -> x12345y

              Append User: john@example.com:x12345y
              base64 encode: IGpvaG5AZXhhbXBsZS5jb206eDEyMzQ1eQ==

              give that to the user, then in your app, when you receive it, base64decode it, giving you the username and token for the user.

              Is that something that might work for you?

              M 1 Reply Last reply 1 Dec 2023, 10:20 Reply Quote 0
              • M
                mou @mark.robustelli
                last edited by 1 Dec 2023, 10:20

                @mark-robustelli Thank you. It is an interesting workaround. I think if we apply encryption on top of the generated string value, it will not disclose user's login.

                1 Reply Last reply Reply Quote 0
                • M mou has marked this topic as solved on 19 Dec 2023, 17:43
                7 out of 7
                • First post
                  7/7
                  Last post