Continuing previous musings on API tokens. Discussed this briefly with Daniel on IRC, and we came to the decision that going for the approach of using standard client credentials is the better way over inventing a non-standard API token format and protocol for using them.

Thus the approach is as follows:

  • User logs into web application to create a new API client. User gives them a name, which gets prefixed by their username. Thus, if user "igor" creates a client called "slab", the actual client id is "igor/slab". Qvisqve creates the client, and shows the user the client id and client secret. The secret is generated by Qvisqve.

    The client id prefix is there to make it easier to see whose client it is.

    The client gets given a list of allowed scopes. This is a subset of the ones the user has at the time of client creation. The user may choose to allow only some of the scopes for the client.

    The client gets an attribute "sub", which gets assigned a value identifying the user who created the client.

  • The Qvsiqve API for creating clients also sets the sub attribute from the token. (The web application uses the same API endpoint.)

  • An API client with a suitable scope gets to set or remove the sub field of a client it creates or updates.

  • When a client requests an access token use OAuth2 client credentials, the token's sub field is set according to the client's sub attribute, if it is set.

    An access token will have scopes that are the intersection of scopes the client requested, that the client is allowed to get, and the user is allowed to get, at the time of the token being granted.

  • Qvisqve will eventually allow users to manage their own applications: remove the client, reset the client secret (Qvisqve generates and sets a new one), add and remove scopes (from the set of scopes the client has).

  • Also eventually, Qvisqve will add groups, but that's not relevant yet.

Added (suggested by Daniel): Clients should NOT be given a scope to add new clients. It may be worthwhile to have Qvisqve enforce that. Only users should be able to do that.