[#36103] - [4.1][webservices] get bearer token on credentials
- Closed
- 24 Nov 2021
- Medium
- Build: 4.1-dev
- # 36103
- Diff
- alikon:patch-1
User tests: Successful: Unsuccessful:
Summary of Changes
Add an authorization endpoint
Testing Instructions
apply patch
create an user that have the API Token
do a POST {{base_url}}api/index.php/v1/users/auth
with this body
{
"username": "test",
"password": "123456789012"
}
Actual result BEFORE applying this Pull Request
N/A
Expected result AFTER applying this Pull Request
it returns the Bearer token so an app can consume the not public webservices endpoints
Documentation Changes Required
yes
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_users Front End Plugins |
| Labels |
Added:
?
?
|
||
Sorry I'm hard rejecting this - this is a security thing.
It's inherently insecure to be able to grab tokens via a webservice I'm afraid. This is also going to full on conflict with any OAuth services (which are how this stuff tends to manifest in most webservices) - which is something we've documented as something we expect to bubble up in the 3rd party ecosystem rather than in core.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-11-24 15:16:32 |
| Closed_By | ⇒ | wilsonge |
where is documented ?
https://docs.joomla.org/Joomla_Api_Specification
We have chosen not to implement a full blown oAuth 2 specification into the core however it is intended that this can be achieved with the plugin group (and by disabling the "API Authentication - Joomla Token" plugin and the "User - Joomla Token" plugin)
@alikon PHP CS: https://ci.joomla.org/joomla/joomla-cms/48630/1/6