Server to Server Authentication

dagrooms52 · October 3, 2017, 10:20pm

The Data API Service documentation describes the route /whoami, which generates a Refresh Token that can be used to authenticate service calls and expires in seven days. This authentication pattern seems to be a subset of the OAuth protocol, which usually entails the authentication of a client with a server; the similarities are present, as I can only access the initial token by providing my username and password.

This style of authentication introduces an interesting pattern for server-to-server authentication. After accessing my initial API token, I can generate a refresh token which I can store with a timestamp to indicate when to refresh it. It requires a bit of work to consume this pattern, whereas I may be able to reuse an existing authentication pattern with less effort. For example, standard libraries exist to handle HMAC authentication and are built with server to server authentication in mind.

Does Resin provide a standard method of server to server authentication, such as HMAC authentication?

afitzek · October 4, 2017, 1:04pm

Hi @dagrooms52,
We are currently developing named api keys, which can be managed in the dashboard and can be used as authentication tokens. These tokens will not expire after a certain time, but can be revoked manually from the dashboard. Is this mechanisms something you had in mind?

dagrooms52 · October 4, 2017, 2:53pm

Yes, that sounds great to me! When can I expect this functionality to be released?

flesler · October 4, 2017, 5:04pm

Hi @dagrooms52 we expect it to be fully released in the coming weeks.

fenris · October 4, 2017, 5:28pm

Oooh, I was just about to share a simple device monitoring container, but if named API keys are coming, then I’ll wait until that’s available.

mlodes · November 17, 2017, 7:38pm

Hi @flesler, I was just wondering if you had an updated estimate on when named api keys might be released. Thanks

aric-mira · January 10, 2018, 11:26pm

Our team would also like to use non-expiring API keys, since our Resin calls are server-to-server and we would like to avoid adding logic to refresh the token. Are there any updates on adding this feature?

thgreasi · January 16, 2018, 8:32am

Hi,
At the moment you can generate a named user API key with a direct API call:

curl -X POST "https://api.resin.io/api-key/user/full" \
    -H "Authorization: Bearer <yourbearertoken>" \
    -H "Content-Type: application/json" \
    --data-binary '{"name":"testapikey"}'

This will return a user api key which can be used to authenticate with the resin-sdk (v8) and execute requests:

var ResinSdk = require('resin-sdk');
var sdk = ResinSdk();
sdk.auth.loginWithToken(returnedapikey).then(function() {
	return sdk.models.application.getAll();
}).then(function(apps) {
	console.log(apps);
});

or be used as a bearer token in any other API request:

curl -X get "https://api.resin.io/v3/device" \
    -H "Authorization: Bearer <returnedapikey>"

PS: a respective sdk method to generate api keys is planned for one of the upcoming sdk releases.

aric-mira · January 16, 2018, 10:36pm

@thgreasi Great, I’m going to give this a try. Just to confirm, this API key does not expire?

thgreasi · January 18, 2018, 6:36am

Yes @aric-mira , the named user api keys generated by that endpoint should not expire.
Let us know how this worked for your use case.

aric-mira · January 18, 2018, 6:35pm

Perfect, yes the generated API key worked as expected for my use case. Thanks for your help!

lekkas · May 2, 2018, 12:40pm

Hi,

We are happy to let you know that you can now create API keys that do not expire from the Dashboard.

These API keys are named tokens that can be created / revoked as needed, and they can be used for authentication in the resin.io API, CLI, and SDKs (Node.js Python)

For more information you can check the relevant section in our documents: https://docs.resin.io/learn/manage/account/#api-keys

Thanks!

Kostas