So, the one undetermined issue with users self-issuing tokens, is access control. In Moodle there's a capability for this, and also any user who is a site admin is *not* allowed to self-issue tokens through the REST interface, for security purposes. (Admins can still self-generate tokens through the web UI)
We can easily add the restriction on admin users if we want, but the bigger question is, how do we decide which normal users can self-issue webservices tokens? Currently, the closest thing we have is the "webservice" auth method. However, this isn't quite what we need. It is written to allow "robot" users, which authenticate to webservices via a username and password, but cannot log in to Mahara via the normal methods. We could use its presence or absence in an institution to determine whether the institution as a whole allows webservices, but I don't think that's a good idea because it would confuse admins as to the purpose of this auth plugin. The last thing we want is admins assigning users the "webservice" auth to try to let them use the app, and then discovering the users can no longer log in to Mahara. We also have per-institution connection manager setup. However, this also isn't appropriate, because the connection manager is only for configuring *outgoing* connections, i.e. Mahara using webservices to retrieve data from another service provider. In the token-issuing scenario, Mahara is instead accepting *incoming* connections. So probably what would make the most sense, would be to turn this into another per-institution setting with a sitewide default. Ideally it'd be as granular as the connection manager; so individual institutions could enable/disable individual user-token-issuing for each service group. However, it could start with a simple institution-level "on-off": "Allow individual users to access webservices (for mobile applications)" That said... since we're so late in the 16.10 release process we should probably go the simplest route. And the drop-dead simplest thing would be to piggyback this on the existing "Allow mobile uploads" sitewide admin setting. So for that route, we would hard-code the token-issuing scripts to *only* allow access to the Mahara mobile app service group, and access would be contingent on the "Allow mobile uploads" setting. (Or perhaps add a DB flag to service groups in the database to indicate that they are "mobile uploads"). So, I'll probably go that route. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1620879 Title: Allow users to self-issue webservice access tokens Status in Mahara: New Bug description: For the generation 2 Mahara mobile app ( https://github.com/maharaproject/mahara-mobile ), we want users to be able to generate the access tokens they need via the app itself, rather than the current process where users have to log in to Mahara in a web browser, go to their account settings page, scroll to the bottom and manually create an access token (typing in its value themselves), then launch the mobile app and write that same access token into the mobile app. Instead, we envision a process the same as the Moodle Mobile app. The user is presented with a username/password field, they enter their credentials there, and the app then does the dirty work of talking to the Mahara server, requesting the access token, and storing it. In order to support SSO options, there also needs to be an alternative flow, where the app opens an embedded iframe that displays the Mahara login form, and returns the access token value back to the app when done. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1620879/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
