New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API: Add support for OAuth2 Client Credentials and Access Tokens #3943
Comments
Signed-off-by: Michael Mayer <michael@photoprism.app>
I will push my changes and provide an updated preview build for testing as soon as the new CLI commands (almost done) and the scope-based authorization checks are implemented, so probably early next week :) |
This adds standard OAuth2 client credentials and bearer token support as well as scope-based authorization checks for REST API clients. Note that this initial implementation should not be used in production and that the access token limit has not been implemented yet. Signed-off-by: Michael Mayer <michael@photoprism.app>
My last commit adds standard OAuth2 client credentials and bearer token support as well as scope-based authorization checks for REST API clients:
|
Here's what I think is still needed to make this releasable:
|
I'll happily take on documentation tasks related to the setup of prometheus :-) |
If you would like to test the new curl -Ss -X POST http://localhost:2342/api/v1/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=metrics&client_id=ID&client_secret=SECRET' Simply replace |
Signed-off-by: Michael Mayer <michael@photoprism.app>
You can now run "photoprism auth add" to create new client access tokens that allow external applications to use the built-in REST API. Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
With the commits referenced above, you can now create personal access tokens for authentication with our API without having to first register an OAuth2 client application, e.g. by running the following command in a terminal:
To see all supported command flags:
Note that there is no updated development preview for testing yet. So if you want to try this, you will need to build from source until we feel it has been tested enough to make it available to everyone. |
@Radiokot I've started working on a To complete this, it would be good to know which fields you actually need? We currently don't use JWT tokens, so the related fields don't seem to be necessary and could be left blank or omitted depending on what is most compatible/easiest for API clients to handle? Please also let us know if there are any other service discovery endpoints we should add :) |
@lastzero in order to initialize the mobile OpenID connector, only the following fields are required:
|
@Radiokot To authenticate with the API, you can currently create an Alternatively, you can use the An |
@lastzero if, as we discussed earlier, if the user will be able to create a perpetual access token for a third-party app in the web interface, then it makes sense to add auth by token as an alternative to username+password, and in this case the app has nothing to do with If PhotoPrism itself is going to be an OAuth/OpenID server, then the apps will be able to get access tokens through the Authorization Code Flow, allowing the user to sign in and grant the access on a web page. In this case, I don't think, however, that you should spend time implementing the authorization endpoint, at least for the first release. For me, having the ability to create an access token in the web app and then paste it to the 3rd party app is enough. |
@Radiokot A simple {
"issuer": "http://localhost:2342/",
"authorization_endpoint": "",
"token_endpoint": "http://localhost:2342/api/v1/oauth/token",
"registration_endpoint": "",
"response_types_supported": [
"token"
],
"response_modes_supported": [],
"grant_types_supported": [
"client_credentials"
],
"subject_types_supported": [],
"scopes_supported": [
"shares",
"videos",
"places",
"feedback",
"folders",
"favorites",
"albums",
"moments",
"logs",
"metrics",
"photos",
"calendar",
"people",
"settings",
"services",
"users",
"files",
"labels",
"config",
"password",
"webdav"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"claims_supported": [],
"code_challenge_methods_supported": [],
"introspection_endpoint": "",
"introspection_endpoint_auth_methods_supported": [],
"revocation_endpoint": "http://localhost:2342/api/v1/oauth/revoke",
"revocation_endpoint_auth_methods_supported": [
"none"
],
"end_session_endpoint": "",
"request_parameter_supported": false,
"request_object_signing_alg_values_supported": [],
"device_authorization_endpoint": "",
"dpop_signing_alg_values_supported": []
} While implementing this, I also added a |
This is to prevent prometheus and keycloak from starting automatically and allows developers to run them only when needed, see: https://docs.docker.com/compose/profiles/ Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
An updated preview build is now available on Docker Hub for final testing:
Any help with that is much appreciated! 🎉 |
Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
I have added the CLI command documentation to the User Guide, so that it's easy to find: Any contributions that help improve the API documentation and make it easier to use for developers would be much appreciated: We also plan to work on that, but we don't know when we will get to it due to the many other things on our plate. |
@lastzero The documentation was very clear! Upgraded photoprism and hooked it into my prometheus instance without a hitch! Thanks for your amazing efforts 🙌 I'll buy you a beer next time I'm in Berlin! |
External applications must be able to authenticate with OAuth2 Client Credentials in order to obtain valid Access Tokens for communication with our REST API.
Further OAuth2 use cases and authentication options are beyond the scope of this issue. They may be added over time after this has been implemented.
Acceptance Criteria:
POST /api/v1/oauth/token
endpoint for creating access tokens, this includes (b) adding support for standard Bearer Token authentication headers and (c) a minimum of scope-based authorization checks.GET /api/v1/metrics
endpoint with authentication so that it won't need to be publicly accessible: API: Expose Prometheus-style metrics endpoint #3730Related Issues:
Protocol References:
Authentication Libraries:
Documentation Examples:
The text was updated successfully, but these errors were encountered: