FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Implementing GitHub-like "Personal Access Tokens"

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    7
    779
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mou
      last edited by

      Hello, everyone!

      I'm reaching out to the community for insights on a scenario that I initially thought was common, but I'm struggling to find examples or guides. Perhaps my assumptions were off, or I might not be using the right search terms.

      Here's our situation: We're in the process of meticulously designing a robust Authorization and API framework using Entity Framework for our customers. However, this is a time-consuming process, and we're concurrently preparing to launch an MVP for our product.

      To add immediate value for our users, especially in a dev/infra SaaS context, we're considering implementing a feature for users to generate long-lived access tokens. These tokens would be used in their scripts and automation tasks. The most notable implementation of such a feature can be found in GitHub.

      The envisioned user flow is as follows:

      1. The user navigates to their profile.
      2. They access a specific section dedicated to API integration.
      3. Upon clicking "Generate Personal Access Token," they see a token that can be easily copied.
      4. The user can then use this token for API interactions, with actions being internally authorized via FusionAuth. Additionally, there's an option to revoke or delete the token as needed.

      Our rationale behind this approach is to establish a straightforward Proof of Concept (PoC) for API authorization. This allows us to hit the market sooner, while gradually evolving our API authorization infrastructure to be more sophisticated over time.

      I'm keen to know if anyone has implemented a similar feature using FusionAuth. Any examples, recipes, or best practices would be immensely helpful.

      Thanks in advance for your insights!

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @mou
        last edited by

        @mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

        M 1 Reply Last reply Reply Quote 2
        • M
          mou @mark.robustelli
          last edited by

          @mark-robustelli Thank you for your answer. Indeed, we are considering this option as a last resort. Because Application Authentication tokens are "replacement" for passwords. It is not enough to provide only this token to identify the user, and login identifier should be provided alongside. It is somehow different from reference GitHub implementation.

          mark.robustelliM 1 Reply Last reply Reply Quote 0
          • mark.robustelliM
            mark.robustelli @mou
            last edited by mark.robustelli

            @mou Did you get to the bottom of that page? (Enabling Authentication Tokens and Generating Authentication Tokens). Those are per user. Is there a reason this won't work?

            I did see this note that might help your use case.

            Note that you must provide a valid API key unless you’ve also unchecked the Require an API key setting in the Login API Settings.

            M 1 Reply Last reply Reply Quote 0
            • M
              mou @mark.robustelli
              last edited by

              @mark-robustelli yes. We even tested it. However, the ideal case for end users would be to provide a single token for API calls. But passing Authentication Token to Login API requires to specifying user login (in our case, email). Here is an example request from documentation.

              {
  "loginId": "example@fusionauth.io",
  "password": "52h3h9fsjOn2Eh0+NBT3Kf6NcWFHbJ7oPD0sFsHMQps=",
  "applicationId": "10000000-0000-0002-0000-000000000001",
  "ipAddress": "192.168.1.42"
}
              mark.robustelliM 1 Reply Last reply Reply Quote 0
              • mark.robustelliM
                mark.robustelli @mou
                last edited by

                @mou I don't think there is anything that would allow you to create a personal access token as you are describing it. You may be about to "workaround" that by managing the token a bit. Since the user has to login to get the token, you could get the personal token and embed the user name. i.e. on the getoken your code could get the token for the user and then append the email before you sent it to the client. It would look something like:

                user:john@example.com

                Get Token -> x12345y

                Append User: john@example.com:x12345y
                base64 encode: IGpvaG5AZXhhbXBsZS5jb206eDEyMzQ1eQ==

                give that to the user, then in your app, when you receive it, base64decode it, giving you the username and token for the user.

                Is that something that might work for you?

                M 1 Reply Last reply Reply Quote 0
                • M
                  mou @mark.robustelli
                  last edited by

                  @mark-robustelli Thank you. It is an interesting workaround. I think if we apply encryption on top of the generated string value, it will not disclose user's login.

                  1 Reply Last reply Reply Quote 0
                  • M mou has marked this topic as solved on
                  • First post
                    Last post

                  Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.