Marco Descher
Marco Descher
``` mis-echo-1 | OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key (["access_token", "id_token"]); using "id_token". mis-echo-1 | D, [2024-09-13T12:03:15.060896 #1] DEBUG -- : Setting.validate_user_roles = 'user_roles.' mis-echo-1 | D, [2024-09-13T12:03:15.060943...
This looks very good now @picman It worked with the `id_token` and the key `user_roles` - but as this was an adaptation, i fixed the defaults of keycloak. So it...
The branch `roles_without_patch` works like a charm, and the log info `OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key (["access_token", "id_token"]); using "access_token".` is just correct for the Keycloak setting....
Technically ok. But not as secure. Why? * Redmine API keys are barely (if at all) rotated. Stealing such an API key in some way is thus a real problem....
Consider the following scenario. I have only openid accounts enabled, local passwords are not really set. Now I have an external script, that wants to use the Redmine API to...
I would propose, that in addition to the authentication methods described in https://www.redmine.org/projects/redmine/wiki/rest_api#Authentication this plugin should "listen" for HTTP Header `Authentication = Bearer xyyxyx....` and validate it the provided token...
Interesting in this aspect https://www.redmine.org/issues/41220
I have a very interesting example, which is how I think it should work in redmine too, the following NGINX location configuration protects the calls by using the JWT access...
State on this matter from my site: * Having an apikey which is not rotated regularly is a massive security issue * I made a nginx based endpoint, with a...
At the moment when logging off in Redmine (after logging into it with redmine_oauth) only redmine is logged out, while the OAUTH2 Session stays open. There should be a configurable...