RFC : Host Registration Extension

Well it’s been a while since I pushed the PRs [0][1], but after quick look:

  • Permissions needs to be handled properly [2]
  • We already have personal access tokens (PAT), do we need both?
  • JWTs should be generated by system / application, not by user, for that we have PATs
  • Better UI & UX

[0] [WIP] User JSON web tokens by stejskalleos · Pull Request #8525 · theforeman/foreman · GitHub
[1] [WIP] Fixes #32278 - Invalidate user's JWT by stejskalleos · Pull Request #8452 · theforeman/foreman · GitHub
[2] [WIP] User JSON web tokens by stejskalleos · Pull Request #8525 · theforeman/foreman · GitHub

Currently, the best way is to do User.find_by_login('admin').jwt_secret.destroy in a console, I guess it would be easy to add a button to the user edit page to do this. The new secret is generated in case it’s missing.

Sure, this would be possible but then other tokens which are used by the user are invalid, too.
Better would be:

Your thoughts?

I’m not sure if you mean one secret per org or the secret would be a combination of user’s and org’s secret. That way one could reset entire org or a specific user.

If this would be org level only, I’d say that could be quite open. I think it’s not an exception people use single org, while they have multiple AKs in it, each accessing a different content, which is potentially maintained by a different sysadmin. But I may be wrong.

I thought about storing a secret only on organization. Then, if sysadmin 1 leaves the company or is in vacation or sick, sysadmin 2 could reset the secret for the organization easily. Otherwise, there are maybe tokens available, which would allow to access the system.