Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-27222

access API context rejects all forms of auth besides Access tokens used in Authorization: Bearer headers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Access Tokens
    • Labels:
      None
    • Environment:

      response headers include:

      x-jfrog-version: JFrog Access/7.41.7

    • Severity:
      Medium
    • Location:
      External

      Description

      The access API context does not recognize any form of auth besides Access tokens used in Authorization: Bearer headers. 

      This creates an unpleasant "chicken and egg" scenario whereby an account can't programmatically create an access token unless someone has already clicked through the UI to generate one. For large numbers of service accounts with pre-existing API keys, this is tedious and silly.

      Additionally, this restriction isn't properly documented on the REST reference for the access context. The notes for each endpoint state that a token is required (which conflicts with the blanket statement at the top of the document with 5 different accepted authentication schemes), but fail to state that the token MUST be included in a bearer header (instead of basic auth, the other accepted scheme).

      Also worth noting: a POST attempt to create a new access token with valid non-bearer authentication returns a HTTP 405 + HTML content instead of a HTTP 401/403 with JSON.  

       

        Attachments

          Activity

              People

              Assignee:
              Unassigned
              Reporter:
              kmcdonough Kenton McDonough
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-27286 -
                  SYNCHRONIZED
                  • Last Sync Date: