Closed
Bug 930192
Opened 11 years ago
Closed 11 years ago
add auth token/api key support to bugzilla
Categories
(Bugzilla :: User Accounts, enhancement)
Bugzilla
User Accounts
Tracking
()
RESOLVED
DUPLICATE
of bug 726696
People
(Reporter: vlad, Unassigned)
Details
Attachments
(1 file)
47.85 KB,
image/png
|
Details |
There are tools such as bzexport[1] that want to make bugzilla API requests without requiring the user to enter the password each time. One way this could be supported in a more secure way is to allow the user to create one or more API keys via the bugzilla interface, which would serve as a password-equivalent.
The advantage would be that they would be revokable, trackable, and could potentially have individual permissions assigned to them. For example, a user could create an API key that would only allow creating new bugs, attachments, or comments, but not allow reading any existing data. Or an API key that would allow only reading bugs, and only non-security-sensitive bugs.
[1] http://hg.mozilla.org/users/tmielczarek_mozilla.com/bzexport/
Comment 1•11 years ago
|
||
We have this in the trunk version of Bugzilla (as well as backported to BMO) which will do what you are asking. The relevant bug number is 893195. You can use User.login to get the toke and then pass the token for any subsequent requests. It acts like a cookie so it expires when cookies would normally expire.
If the bzexport script is accessing BMO already, then the bzexport script could be updated to take advantage of the token auth support now.
dkl
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Comment 2•11 years ago
|
||
This is similar to Bug 893195 but different. I'm developing a Bugzilla client but I don't want users to input there username and password on my app. Our request is exposing the token on the Bugzilla preferences. So the user can copy and paste it on our 3rd party client.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 3•11 years ago
|
||
This is a screenshot of the Kanbanery account preferences. I'd like to see such a page in the Bugzilla preferences.
Comment 4•11 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #2)
> This is similar to Bug 893195 but different. I'm developing a Bugzilla
> client but I don't want users to input there username and password on my
> app. Our request is exposing the token on the Bugzilla preferences. So the
> user can copy and paste it on our 3rd party client.
The Bugzilla token is simply a concatenation of the two session cookie values that Bugzilla sets
for normal browser access. For example if my two cookies look like:
Bugzilla_login: 5898
Bugzilla_logincookie: d435gfd545
Then you would just combine the two values to make token=5898-d435gfd545 and that will authenticate the user.
The user could grab that from the cookie browser so not sure we need to have that visible from the prefs UI.
dkl
Comment 5•11 years ago
|
||
(In reply to David Lawrence [:dkl] from comment #4)
> The user could grab that from the cookie browser so not sure we need to have
> that visible from the prefs UI.
I think providing a token on the Bugzilla preference page is more user-friendly than the browser's Cookie Manager. People who choose 3rd party clients are not always power-users.
Comment 6•11 years ago
|
||
From a security point of view, it wouldn't be hard to force a user to view an evil attachment which would grab the content of that user pref page and steal the token, if attachment_base is not set.
Updated•11 years ago
|
Severity: normal → enhancement
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
OS: Windows 8 → All
Hardware: x86 → All
Resolution: --- → DUPLICATE
Comment 8•11 years ago
|
||
I cannot access Bug 726696. Is there any plan to implement the functionality?
Comment 9•11 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #8)
> I cannot access Bug 726696. Is there any plan to implement the functionality?
Yes, this will be done soon.
Comment 10•11 years ago
|
||
Any ETA here?
Comment 11•10 years ago
|
||
Now I can see Bug 726696 and Bug 1045145. Good to know.
You need to log in
before you can comment on or make changes to this bug.
Description
•