1043334 - Create a self-service UI for managing oauth credentials

Status: RESOLVED FIXED

(Tree Management :: Treeherder: API, defect, P5)

Description

[Ed Morley [:emorley]]

Migrated from:
https://github.com/mozilla/treeherder-service/issues/152

lightsofapollo commented on 23 May:

{
What I propose is to use role based authentication + a hawk backend for clients. @jonasfj recently implemented a simple auth server on top of azure tables (we have a sec review going) and it includes a simple user interface to add clients.

A client would be granted a number of roles so it should be easier to provide granular access (as is done today) and more permissive access to multiple repos (and other capabilities later).

For example the current one-client-per repo would look like this:

    scope: ["treeherder-dev:repo:gaia-master"]

Multiple repos:

    scope: ["treeherder-dev:repo:gaia", "treeherder-dev:repo:gaia-master"]

All repos:

    scope: ["treeherder-dev:repo:gaia", "reeherder-dev:repo:*"]


I intentionally left out some implementation details let me know what you think... If this is a good path forward I can pick up this work (it's actually fairly easy). Note that I intentionally left room in the proposal above for both new roles (like treeherder-dev:add-repo) and added the "-dev" suffix to indicate that this role is for the dev treeherder, etc..
}

Comment 1

[Mauro Doglio [:mdoglio]]

This was implemented as part of bug 1160111. There is no support for authentication scopes because we don't need it yet.