There are tools such as bzexport that want to make bugzilla API requests without requiring the user to enter the password each time. One way this could be supported in a more secure way is to allow the user to create one or more API keys via the bugzilla interface, which would serve as a password-equivalent. The advantage would be that they would be revokable, trackable, and could potentially have individual permissions assigned to them. For example, a user could create an API key that would only allow creating new bugs, attachments, or comments, but not allow reading any existing data. Or an API key that would allow only reading bugs, and only non-security-sensitive bugs.  http://hg.mozilla.org/users/tmielczarek_mozilla.com/bzexport/
We have this in the trunk version of Bugzilla (as well as backported to BMO) which will do what you are asking. The relevant bug number is 893195. You can use User.login to get the toke and then pass the token for any subsequent requests. It acts like a cookie so it expires when cookies would normally expire. If the bzexport script is accessing BMO already, then the bzexport script could be updated to take advantage of the token auth support now. dkl
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 893195
This is similar to Bug 893195 but different. I'm developing a Bugzilla client but I don't want users to input there username and password on my app. Our request is exposing the token on the Bugzilla preferences. So the user can copy and paste it on our 3rd party client.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Created attachment 8338821 [details] Kanbanery API Token screenshot This is a screenshot of the Kanbanery account preferences. I'd like to see such a page in the Bugzilla preferences.
(In reply to Kohei Yoshino [:kohei] from comment #2) > This is similar to Bug 893195 but different. I'm developing a Bugzilla > client but I don't want users to input there username and password on my > app. Our request is exposing the token on the Bugzilla preferences. So the > user can copy and paste it on our 3rd party client. The Bugzilla token is simply a concatenation of the two session cookie values that Bugzilla sets for normal browser access. For example if my two cookies look like: Bugzilla_login: 5898 Bugzilla_logincookie: d435gfd545 Then you would just combine the two values to make token=5898-d435gfd545 and that will authenticate the user. The user could grab that from the cookie browser so not sure we need to have that visible from the prefs UI. dkl
(In reply to David Lawrence [:dkl] from comment #4) > The user could grab that from the cookie browser so not sure we need to have > that visible from the prefs UI. I think providing a token on the Bugzilla preference page is more user-friendly than the browser's Cookie Manager. People who choose 3rd party clients are not always power-users.
From a security point of view, it wouldn't be hard to force a user to view an evil attachment which would grab the content of that user pref page and steal the token, if attachment_base is not set.
Severity: normal → enhancement
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago → 5 years ago
OS: Windows 8 → All
Hardware: x86 → All
Resolution: --- → DUPLICATE
Duplicate of bug: 726696
I cannot access Bug 726696. Is there any plan to implement the functionality?
(In reply to Kohei Yoshino [:kohei] from comment #8) > I cannot access Bug 726696. Is there any plan to implement the functionality? Yes, this will be done soon.
Any ETA here?
You need to log in before you can comment on or make changes to this bug.