Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Namespaced auth token #145

Merged
merged 4 commits into from
Nov 14, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions authentication/methods.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,26 @@ The bootstrap token can also be configured to have an expiration date by setting

See the [Configuration: Method Token](/configuration/overview#authentication-methods-token) documentation for more details.

### Token Expiration

Tokens can be created with an optional expiration date. This can be used to ensure that a token is only valid for a short period of time before automatically expiring. Expired tokens will be automatically be deleted by Flipt. The interval and grace period for this cleanup process can be configured via the `token.cleanup.interval` and `token.cleanup.grace_period` values in the configuration.

### Namespaced Tokens

Tokens can be created with an optional namespace to allow for more granular control over access to resources. Namespaces allow for grouping resources such as flags, segments, etc. To learn more about namespaces, see the [Concepts: Namespaces](/concepts#namespaces) documentation.

Namespaced tokens are useful for the scenario when you want to limit the privileges of an integration such as a CI/CD pipeline or internal service.

<Info>
It's important to note that namespaced tokens offer limited access to the
Flipt API, as only API requests that can be scoped to a namespace are
supported.
</Info>

For example, the `/api/v1/namespaces/{namespace}/flags` endpoint supports a `namespace` parameter, therefore a namespaced token can be used to access this endpoint. However, the `/auth/v1/tokens` endpoint is not associated with a single `namespace`, so a namespaced token cannot be used to access this endpoint.

This also means that namespaced tokens themselves cannot be used to create additional tokens. Tokens must be created using a non-namespaced (default) token.

## OpenID Connect

[OpenID Connect](https://openid.net/connect/) (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Expand Down
6 changes: 3 additions & 3 deletions authentication/using-tokens.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,9 @@ def doRequest():
### 2. `Cookie` Header

<Warning>
Please enable [CSRF](/configuration/authentication#session) prevention in your
Flipt configuration when using a "session compatible" authentication method
and `Cookie` based authentication in the browser.
It's important to enable [CSRF](/configuration/authentication#session)
prevention in your Flipt configuration when using a "session compatible"
authentication method and `Cookie` based authentication in the browser.
</Warning>

For browser-based applications (e.g. Flipt's own user interface) we support supplying a client token via a particular `Cookie` called `flipt_client_token`.
Expand Down
Binary file modified images/authentication/create-token.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
22 changes: 4 additions & 18 deletions reference/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ The Flipt REST API can also be used with any language that can make HTTP request

The latest version of the REST API is fully documented using the [OpenAPI v3 specification](https://github.com/flipt-io/flipt-openapi).

## SDKs

We're adding new SDKs all the time. To see the current list of official REST SDKs, head to the [REST SDKs](/integration/rest) documentation
markphelps marked this conversation as resolved.
Show resolved Hide resolved

## Backward Compatibility

We take great care to ensure that the Flipt REST API is backward compatible. This means that you can safely upgrade to a newer version of Flipt without having to change your API calls.
Expand All @@ -34,24 +38,6 @@ All previous endpoints without the `/namespaces` prefix still work as before (i.

See the [Concepts: Namespaces](/concepts#namespaces) section for more information.

## SDKs

Official REST client SDKs exist for the following languages:

- [Go](https://pkg.go.dev/go.flipt.io/flipt/sdk/go)
- [Node.js/TypeScript](https://github.com/flipt-io/flipt-node)
- [Java](https://github.com/flipt-io/flipt-java)
- [Rust](https://github.com/flipt-io/flipt-rust)
- [Python](https://github.com/flipt-io/flipt-python)

<Note>
We're working on more REST API SDKs and would love to hear from you if you're
interested in helping out or have a request for an SDK in a specific language.

Please reach out to us in our [Discord server](https://www.flipt.io/discord).

</Note>

## Authentication

<Info>
Expand Down