Use API with current user

Callum · 15 October 2020 12:00

Hi,

We’re using the Octopus Client .NET Nuget package in an intranet site with windows authentication. When users visit our intranet site I want to limit the client to what the user is able to do so don’t want to provide an API key to use with the OctopusServerEndpoint object. Any thoughts on how to do this? I’ve tried what is suggested here: Using the API with Windows credentials but I get an OctopusServerException with no further details.
Here is my code if it helps:

var endpoint = new OctopusServerEndpoint(this.configuration.Server);
var client = await OctopusAsyncClient.Create(endpoint);
await client.GetContent("/integrated-challenge");
return client;

There is one solution I can think of but seems messy, that is to provide a “master” API key and then generate an API key for the current user when they use the app but this doesn’t seem ideal

var endpoint = new OctopusServerEndpoint(this.configuration.Server, this.configuration.ApiKey);
var client = await OctopusAsyncClient.Create(endpoint);
var user = await this.GetCurrentUser(client);
var apiKeyResource = await client.Repository.Users.CreateApiKey(user);
endpoint = new OctopusServerEndpoint(this.configuration.Server, apiKeyResource.ApiKey);
client = await OctopusAsyncClient.Create(endpoint); 
return client;

Any thoughts?

Derek_Campbell · 15 October 2020 12:37

Hi @Callum,

Thanks for your patience on this.

We spoke on Community slack, but I wanted to follow up with a few points for other users.

Last year, to improve Security we removed the ability to create API keys for all users from other user accounts. So for instance, David.Smith couldn’t create an API key for user John.Bloggs. The only type of account you can create an API key is for your own and for Service Accounts. The reason for this change was to stop users being able to effectively act on other users behalf.

As we discussed on Slack, our recommendation here is to use a Service account with an API key or alternatively get users to create an API key that they can share for the service.

Please let us know if you have any questions.

Thanks

Derek

system · 15 November 2020 12:37

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.