Epic: Delegate access to Admin API (OAuth) #5227
Description
Is your feature request related to a problem? Please describe.
Consider these audit log entries:
The action in the bottom entry was performed using a user's personal Admin API token. The action in the top was performed using an organisation API key, but we have no visibility on which key.
This lack of traceability and inability to delegate a user's access to other applications makes it difficult to build complex integrations that users interact with. For example, if a customer wants to build an internal dashboard to view/control flags in a very specific way, they can only integrate this application with one API key that has permissions to do everything. If they want more detailed access control or audit logs, they have to implement it themselves.
Describe the solution you'd like.
We should be including some context on how actions performed by API keys happened, i.e. mention the specific key name/prefix/etc or at a minimum, mention that it was done by an organisation API key instead of leaving the User field blank.
Describe alternatives you've considered
This is a much larger effort, but one alternative would be to implement OAuth for the Admin API, i.e. Flagsmith acting as the resource server. This would let applications integrate with Flagsmith so that they can interact with the Admin API directly using a user's token, which bypasses the problem of doing too much with a single organisation API key.
These OAuth tokens would be short-lived and could have the same permission the user already does, or a subset.
This could also open the door for third parties to build their own custom integrations, which can be reused by any customer without having to hardcode API keys or implement another layer of authorisation/traceability on top of Flagsmith.
Example: https://launchdarkly.com/docs/integrations/partner-integrations/oauth-client-registration
Additional context
No response