Request Token with less permission than an installation


#1

Hi there,

I’m looking at authentication, which explain how to request an authentication token, the permission page also mention that:

Integrations are created with a fixed set of permissions. These define what resources the integration can access via the API. The permissions cannot be modified after they are created.

Is it possible though to require an authentication token with less scope that my integration/installation.

In particular I need to take some action depending on whether a comment comes from repository collaborator, thus I requested /repositories/:repository_id/collaborators/:collab. I’d like to pass a token to another service, under my control as well (but it might not be) to post a comment, so I’d like the token I pass to this service to only be able to post comment.

Is that possible ? Is that planned ? Would that be something desirable ?

Thanks,


#2

Hey @Carreau,

Is it possible though to require an authentication token with less scope that my integration/installation.

No, this is not currently possible, but I’ve opened an internal issue to discuss the request. We’ll follow up here if we have more thoughts.

I’d like to pass a token to another service, under my control as well (but it might not be) to post a comment

We’d discourage the passing of tokens between services like this unless both services are owned by you, so I’d be curious to know more about what you mean by “under my control as well (but it might not be)” before weighing in on whether that’s desirable or not.


#3

Hi @jmilas,

Thanks for your reply and for opening an internal issue.

One of the example would be spawning a docker container to do some git operation on a repo and push the result back on a branch potentially after a build step. The cloning would happen via git clone https://x-token-access:$token/org/repo, (some operations) and then push on a branch. As build step (for example Python) could execute arbitrary code I would prefer for this token to only have push access. (Well technically I would like to generate a token that can only push on a specific org/repo/branch but I’m not hoping that much).

While I, or my organisation would (ultimately) control all the code/deployment, I want to be able to put a task in a queue (with a token) and this token has (only) the permission the tasks needs.
The task code might not be written by me, but another team. If I can focus on only auditing the permission requests and the code that actually require crazy permissions the security aspect a tiny bit easier. Just a question of safety in case there is a breach or a bug.

Generally I need (rarely) write permission to a repository, I’d like most of the time to work on read-only manner.

Technically I could implement it myself, write a proxy that substitute the integration token for it’s own, keep a map of newtoken => permissions and check on each requests that the newtoken allows the given request, and if so put back the original token. That seem like an hassle to implement if it’s not too hard on your side.

I might just be paranoid with security.

Does that make some sens ?


#4

Thanks for the additional details. That makes sense.

That seem like an hassle to implement if it’s not too hard on your side.

We’ll discuss and let you know if this is something we’d be likely to implement or if we have additional questions.


#5

We’ll discuss and let you know if this is something we’d be likely to implement or if we have additional questions.

Sure, i would completely understand if you decide not to. Thanks for taking the time to respond to me and for all the good documentation and care you take even for beta APIs !