Bring OAuth and API key system closer together #1934
Description
Currently we have:
- API keys: One per user, they grant full access with whatever permissions the associated users have
- OAuth tokens: Tied to an application, they only grant specific permissions
This requires you to use the full-access API key if you want to use it in a custom application (since not everyone can add new OAuth apps on Indico, and the OAuth flow is not very nice if you don't have something used by multiple users - e.g. drupal feeds on your site).
There is be a much cleaner way, similar to what GitHub does:
- Users can create oauth-token like keys and select the scopes they are granted
- Instead of API keys you use these tokens
- They can be revoked at any time and are usually specific to one external application so if one is compromised you don't have to reset all of them like it's the case with the current api key system
Migration-wise, existing API keys could be simply converted to a token with full permissions.
The only disadvantage I see is that signatures would probably go away. However, considering that OAuth doesn't use signatures either and pretty much no APIs nowadays go through all the trouble of signing requests I think that wouldn't be a problem. At least when HTTPS is being used, which should be the case anyway.
This would obviously be something for once the migration is finished - e.g. 2.0 or 2.1. Personally I'd go for 2.0 if we do this and have time between finishing the migration, cleaning things up, and releasing the version. That way there would be no "big" changes related to this in 2.1.