How do we securely implement API support for OnDemand?

[gerald-byrket]

We need to envision, plan and learn how to securely implement API in OnDemand. Other high security organizations accomplish this. Banks, QuickBooks, etc.

┆Issue is synchronized with this Asana task by Unito

[treydock]

Given the PUN is per-user, you'd have to setup special URL like https://ondemand.example.com/api that is behind OAuth2 but uses bearer tokens instead of cookies so someone could get OAuth2 token and Apache would be able to map that token to their identify via Keycloak. I'm not sure how one would do that with Dex but it's pretty easy with Keycloak to get a personal access token via command line and use that with API services.