Content
View differences
Updated by Niels Lindenthal almost 11 years ago
**As** an OpenProject.com user
**I want** to authenticate against OpenProject API v3 using basic auth
**so that** I can securely access my resources.
**Acceptance criteria**
- basic auth for API v3
- solution that allows to add (or replace) authentication methods (e.g. access token) beyond basic auth
- scope: limited to API v3 (not OpenProject in general) for now
**Technical Solution Concept**
- OpenProject::Authentication API
- add/remove/replace authentication methods (from core and plugins)
- support for scopes (web, API v2, API v3, danger zone)
- separate authentication from authorization
- authorization based on authenticated user object (use existing OpenProject authorization)
- needs to be extended to support user-independent authorization (e.g. privileges in access tokens, system user like used by reeve, zacero, other non-user based api clients)
- Implement two gems for:
- global basic auth (service admin access, configured through configuration.yml - for com apps)
- user basic auth (using user credentials - for users, add-ins, etc.)
- add gems to core dependencies (Gemfile)
**Out of scope**
- warden for core authentication (session, rss, atom, API v2)
**WIP Sketches**
https://gist.github.com/machisuji/2bdace0117c630972791
https://docs.google.com/drawings/d/1F5kwj8S-QpWT5T8B2HKLdGePZjfHjrN9oCPQmjhKY3Q/edit?usp=sharing
**I want** to authenticate against OpenProject API v3 using basic auth
**so that** I can securely access my resources.
**Acceptance criteria**
- basic auth for API v3
- solution that allows to add (or replace) authentication methods (e.g. access token) beyond basic auth
- scope: limited to API v3 (not OpenProject in general) for now
**Technical Solution Concept**
- OpenProject::Authentication API
- add/remove/replace authentication methods (from core and plugins)
- support for scopes (web, API v2, API v3, danger zone)
- separate authentication from authorization
- authorization based on authenticated user object (use existing OpenProject authorization)
- needs to be extended to support user-independent authorization (e.g. privileges in access tokens, system user like used by reeve, zacero, other non-user based api clients)
- Implement two gems for:
- global basic auth (service admin access, configured through configuration.yml - for com apps)
- user basic auth (using user credentials - for users, add-ins, etc.)
- add gems to core dependencies (Gemfile)
**Out of scope**
- warden for core authentication (session, rss, atom, API v2)
**WIP Sketches**
https://gist.github.com/machisuji/2bdace0117c630972791
https://docs.google.com/drawings/d/1F5kwj8S-QpWT5T8B2HKLdGePZjfHjrN9oCPQmjhKY3Q/edit?usp=sharing