Page MenuHomePhabricator
Create Task
Maniphest T288977

Provide resonable method for bots to authenticate to Toolhub API
Closed, ResolvedPublic
Actions

Description

The main authentication flow for Toolhub is an OAuth 2.0 handshake with metawiki. This is an interactive flow that is meant for human interaction.

The Toolhub API has a secondary authentication flow in the form of an OAuth 2.0 handshake with Toolhub itself. This is also an interactive flow that is meant for human interaction, but it generates tokens which can be renewed without human intervention. It is suited for use by a web service which is providing some value added interaction with the write API actions.

A third currently unsatisfied use case is a Toolhub API authentication method that can be used to run a bot as the bot developer's own user. Essentially the need is for a https://www.mediawiki.org/wiki/Manual:Bot_passwords or https://www.mediawiki.org/wiki/OAuth/Owner-only_consumers workalike method which can be used by bot operators.

Details

SubjectRepoBranchLines +/-
ui: Add tab to DeveloperSettings for managing authentication tokenwikimedia/toolhubmain+445 -2
api: Add endpoints for managing owner-only authtokenswikimedia/toolhubmain+195 -13
Customize query in gerrit

Event Timeline

bd808 created this task.Aug 16 2021, 5:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2021, 5:13 PM
bd808 added a comment.EditedAug 16 2021, 5:41 PM

The built-in TokenAuthentication system of Django REST Framework might be the easiest solution to implement for this. I think we would only need to:

  • Add rest_framework.authtoken to INSTALLED_APPS
  • Add rest_framework.authentication.TokenAuthentication to REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
  • Expose self-service token management (create, revoke) via the Toolhub API
  • Expose token management API via the Toolhub UI. This feels like it could fit in the "Developer settings" screen as new tab.

To use this, a bot developer would use the Toolhub UI to authenticate and then generate a token. This token would then be directly used via an Authorization header when making authenticate API requests.

Another option would be to implement a client credentials grant workflow with the existing django-oauth-toolkit integration. This flow would require a similar amount of implementation work for the Toolhub backend however as it requires exposing a new type of grant registration via the API and UI. It would also require the implementing bots to add an initial step of exchanging the OAuth client id and secret for a Bearer token via an API call before then using the Bearer token via an Authorization header to make authenticated API requests.

gerritbot added a comment.Aug 16 2021, 11:58 PM

Change 713369 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] api: Add endpoints for managing owner-only authtokens

https://gerrit.wikimedia.org/r/713369

gerritbot added a project: Patch-For-Review.Aug 16 2021, 11:58 PM
gerritbot added a comment.Aug 17 2021, 11:16 PM

Change 713561 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: Add tab to DeveloperSettings for managing authentication token

https://gerrit.wikimedia.org/r/713561

bd808 claimed this task.Aug 20 2021, 7:57 PM
bd808 moved this task from Backlog to Review on the Toolhub board.
Restricted Application added a project: User-bd808. · View Herald TranscriptAug 20 2021, 7:57 PM
gerritbot added a comment.Aug 23 2021, 7:19 PM

Change 713369 merged by jenkins-bot:

[wikimedia/toolhub@main] api: Add endpoints for managing owner-only authtokens

https://gerrit.wikimedia.org/r/713369

gerritbot added a comment.Sep 3 2021, 5:22 PM

Change 713561 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: Add tab to DeveloperSettings for managing authentication token

https://gerrit.wikimedia.org/r/713561

Maintenance_bot removed a project: Patch-For-Review.Sep 3 2021, 6:10 PM
bd808 closed this task as Resolved.Sep 24 2021, 10:00 PM
bd808 added a project: Developer-Advocacy (Jul-Sep 2021).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits