-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Productize app tokens for service integration #10292
Comments
cc @tbsbdr @dragotin @micbar @wkloucek The code to support this scope / use case is implemented and documented but needs a security review. |
|
Security Code ReviewTasks
@kobergj @DeepDiver1975 Please add more if needed. |
The impersonation API uses the The request below contains The API response doesn't contain any information that allows Admin to determine who the token bearer is. |
Needs more info before closing. |
Checklist:
|
@mmattel Fine from ENG POV, could you check if the dev docs are sufficient? |
We have an initial implementation for app tokens, but it is disabled by default and marked as experimental.
App tokens are intended to be generated by end users so they can integrate legacy tools that do not support OIDC. However, the current implementation cannot scope the token which is one of the reasons why we marked this as experimental.
There is another use case that we can productize already. The admin can generate app tokens for system accounts used by external services that can then interact with the graph api, e.g. to manage space membership.
The latter does not need to expose the token generation endpoint, as only admins can generate tokens. A PR for the helm chart that adds this as a feature is in owncloud/ocis-charts#767
The text was updated successfully, but these errors were encountered: