View Issue Details

IDProjectCategoryView StatusLast Update
0017766mantisbtapi soappublic2016-05-24 06:49
ReportervboctorAssigned Tovboctor 
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.18 
Target VersionFixed in Version1.3.0-rc.1 
Summary0017766: Access Tokens instead of Passwords

It is pretty common for services to provide a way for users to issue and revoke tokens that can be used to access all data in the service or even a subset of it. Examples include:

  • - I use it with two factor auth, may be also available otherwise
  • - same.
  • - personal access tokens

If we support generating, storing and revoking such tokens, then we can use such tokens for login via the SOAP API rather than using the user password.

Ideally OAuth would be used, but even though some of the above services support OAuth, they still support access token for integrations with protocols and apps that don't support it.

OAuth and such tokens provide the ability to allow access yet limit what the user can do. For example, a read-only access token vs. read-write. Or "report issue" vs. "read issues" and so on. We don't have to start there, but it is possible to have N kinds of tokens or N token capabilities. See attached example screentshot from GitHub.

TagsNo tags attached.


related to 0020443 closeddregad New 'api_token' table does not have standard options 
related to 0020472 closeddregad New 'api_token' table columns are not defined in standard way 
related to 0020943 closedcproensa Account menu missing from API tokens manage page 




2014-10-15 03:50




2014-10-15 03:57

developer   ~0041586

Sounds like a potentially useful feature - I never liked the approach of having to send user+pw for each SOAP request - it's cumbersome, and not secure if the backend is not using SSL



2015-11-14 11:57

manager   ~0051842

I'm considering to implement this. Here is the approach I'm going to use:

  • Create a new field in the users table that contains the token.
  • Token is show in the user's account_page.php page.
  • Token can be revoked and a new one is generated via the user's account page.
  • Token is not affected by users' change of password or any other user information.
  • SOAP API enables login with username + token where token is supplied in the password field.
  • SOAP API enables login with username + empty password where token is supplied in authentication header.
  • Any preferences for generating the token? e.g. SHA256 based on salt + some user fields + random -- or something else? @dregad, you usually have preferences here.
  • If token is empty, then it is disabled.

What happens to existing users?

  • First time they go to the my account page, a token is generated and saved.

What won't be included:

  • OAuth
  • Multiple tokens and what each token is used for.
  • Restricted access per token
  • Passing the username in the header as well.

Note that the API will continue to be compatible with old / new authentication models.



2015-11-14 11:57

manager   ~0051843

Reminder sent to: atrol, dregad, rombert

What are your thoughts on this SOAP API authentication change?



2015-11-20 08:40

developer   ~0051908

Overall looks good to me. I wonder why you don't plan to include 'Passing the username in the header as well.' ? Using HTTP basic auth including username+password or username+token would be a nice addition.



2015-11-21 00:34

manager   ~0051910

Sounds good @rombert. I was thinking about using headers for username + token. But even supporting the username + password case is a good idea too.



2015-11-23 06:24

developer   ~0051916




2016-05-18 07:08

developer   ~0053180

This was actually implemented in PR

Related Changesets

MantisBT: master d0b11412

2015-12-06 01:48:54


Details Diff
Merge pull request 0000685 from vboctor/Issue17766_access_tokens_2

Use API tokens instead of user passwords for API auth
mod - account_page.php Diff File
mod - admin/schema.php Diff File
mod - api/soap/mc_api.php Diff File
add - api_token_create.php Diff File
add - api_token_revoke.php Diff File
add - api_tokens_page.php Diff File
add - core/api_token_api.php Diff File
mod - core/authentication_api.php Diff File
mod - core/constant_inc.php Diff File
mod - core/html_api.php Diff File
mod - css/default.css Diff File
mod - docbook/Admin_Guide/en-US/Page_Descriptions.xml Diff File
mod - lang/strings_english.txt Diff File

MantisBT: master 73f2cf8c

2016-05-16 13:29:08


Committer: dregad Details Diff
Add account menu in api tokens page

Add the account menu to the API tokens manage page (this page is one
of the items in that menu). Now the layout is consistent with the
other account manage pages.

API tokens page was originally implemented in issue 0017766

Fixes 0020943
mod - api_tokens_page.php Diff File

Issue History

Date Modified Username Field Change
2014-10-15 03:50 vboctor New Issue
2014-10-15 03:50 vboctor File Added: Screenshot 2014-10-15 00.49.25.png
2014-10-15 03:57 dregad Note Added: 0041586
2014-10-15 03:57 dregad Severity minor => feature
2015-11-14 11:57 vboctor Note Added: 0051842
2015-11-14 11:57 vboctor Note Added: 0051843
2015-11-20 08:40 rombert Note Added: 0051908
2015-11-21 00:34 vboctor Note Added: 0051910
2015-11-23 06:23 dregad Assigned To => vboctor
2015-11-23 06:23 dregad Status new => assigned
2015-11-23 06:24 dregad Note Added: 0051916
2015-12-06 02:54 vboctor Status assigned => resolved
2015-12-06 02:54 vboctor Resolution open => fixed
2015-12-06 02:54 vboctor Fixed in Version => 1.3.0-rc.1
2015-12-06 02:54 vboctor Status resolved => closed
2015-12-29 06:04 dregad Relationship added related to 0020443
2016-01-02 18:12 dregad Relationship added related to 0020472
2016-05-18 07:06 dregad Changeset attached => MantisBT master d0b11412
2016-05-18 07:08 dregad Note Added: 0053180
2016-05-24 06:48 dregad Relationship added related to 0020943
2016-05-24 06:49 dregad Changeset attached => MantisBT master 73f2cf8c