New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Token Authentication #2432
Conversation
Do we need a config option so that someone can disable this (like |
All very good questions. In the meantime I forgot what I actually wanted to use this for ;-) I guess it would make sense to split off the Profile UI changes from the token auth changes.... |
Hi, great to see it implemented, thank you! |
Please note that this PR has been updated to:
|
XMLRPC is a rather outdated and old-fashioned protocol not much in use anymore. Developers prefer simpler, JSON based APIs. This adds a new "JSONRPC" API. Basically it exposes exactly the same method calls as the XMLRPC API but using JSON instead of XML. It's not a classical REST API, but should be just as easy to use for developers. Here is an example call using CURL: curl http://localhost/dokuwiki/lib/exe/jsonrpc.phs \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $token" \ -d '["wiki"]' Please note that the above uses the token auth implemented in #2432. Authentication via basic auth or cookies would work as well.
Can you add to UI something to make it easier to copy the token? Copy icon would be nice, but selecting all textarea on focus would be nice too. |
I'm trying to use this with oauth and oauthazure plugins and xmlrpc calls and the code is skipped right in the beginning: function auth_tokenlogin() {
global $USERINFO;
global $INPUT;
/** @var DokuWiki_Auth_Plugin $auth */
global $auth;
if(!$auth) return false; // <- returns here I've applied this patch directly against 2023-04-04 release, is there something else needed (i.e changes after 2023-04-04 release)? EDIT: Nevermind, authorization header was lowercased for me: |
@splitbrain aside the lowercase headers problem this works fine for me with azure oauth. |
This generates a JWT token for users. This token can be sent in a Bearer authentication header as a login mechanism. Users can reset their token in the profile. Note: a previously suggested implementation used a custom token format, not JWT tokens
Rebased on current master |
change case commit message has typo: d26e5a2. |
Is it possible to disable token auth? Is there a config option? |
This implements #2431. Users can set up the token in their profile. Requests that send the token in an authorization header will be authorized automatically:
The token is two parts: the first part encodes the user (using MD5) the second part is the actual random token.
The PR also refactors the Profile-View into an UI class.