Add proposal CLI-secret-for-api

[LGhoull]

No description provided.

[LGhoull]

This is a kind/proposal, but I can't add any labels

[reasonerjt]

We should add a case to make sure when the token is invalid the cli secret will not be usable for calling the API.

[LGhoull]

You mean the id token? From my understanding, harbor attempts to renew the id token to keep the secret valid. If that's not possible, the Secret becomes invalid. All this logic already exists for the CLI secret

[reasonerjt]

We should double check if the token is invalid the secret becomes invalid at the same time, and clarify it in the design. If there is vulnerability existing now, we should absolutely not move forward, we should fix the vulnerability.

[LGhoull]

What I meant with this being a possible "vulnerability" (depending on the way you look at it, personally I don't think it is a vulnerability) is the fact that the CLI secret only needs to be copied from the UI once and can be used repeatedly without signing in with OIDC again. But:

• This is already the case for the CLI secret
• The CLI secret is invalidated when the id token can not be renewed (for example when the user in the ID provider is deleted)
• This is basically how API keys work in numerous other applications

[LGhoull]

@reasonerjt Could you respond to the discussions?

[LGhoull]

@reasonerjt Could you respond to the discussions please?

[LGhoull]

@Vad1mo @zyyw @chlins Anyone? Can we discuss this?

[Vad1mo]

It is very difficult for me to follow on the details of the PR, on high level I think I understand what you are trying to achieve and why.

There are lot of details missing the description. Especially, all the backward-compatible and changes neeed to UI, Docs, and workflows are missing.

[Vad1mo]

Can you outline the backward compatibility or its lack of?

[LGhoull]

just added some more clarification in the compatibility section. The id token can still be used, but is deprecated.

[Vad1mo]

What about docker login

[LGhoull]

docker login already works with the cli secret and nothing changes about that

[LGhoull]

@Vad1mo I just added some clarification in the proposal. Of course we should document the new behavior. The UI doesn't have to change since CLI secrets already exist (maybe we can rename them).

[LGhoull]

Can we move forward here please?

[VinuelMancent]

Can I assist on getting this PR merged? The change is IMHO very important, but since nothing happened here for months, i fear this will never see the light of day

[LGhoull]

@Vad1mo @chlins @zyyw Can we move forward here please?

[malmor]

Hey there, any update on this proposal?

In goharbor/harbor#16647 (comment) a different concept of classic API keys was mentioned. Should this be re-written (or replaced) by that idea?

[malmor]

Hey @Vad1mo @reasonerjt,
just wanted to check in on this proposal. Is there anything we can do to support this in moving forward?

[malmor]

Hey @Vad1mo @reasonerjt,
is there any update regarding this proposal or the concept of "API Keys" in general? Thanks!

[Vad1mo]

the proposal and PR introduces a breaking change, this needs to be addressed and resolved, otherwise it has no chance getting in.

[Vad1mo]

The PR removes ID token support entirely, but the proposal says "deprecate".

In the proposal it states:
"ID token authentication will be deprecated initially, with removal planned for future releases"

But PR #20851 deletes idtoken.go completely. This inconsistency must be resolved. The implementation should:

• deprecation warning logs when ID token is used?
• Keep ID token functional for N releases?

How will existing integrations know ID token auth is deprecated?

• Return Deprecation HTTP header?
• Log warnings?
• Documentation update plan?

Users currently using ID token auth need guidance:

1. How to obtain their CLI secret
2. How to update their scripts/tools
3. Timeline for mandatory migration

The proposal implies robot accounts are the only workaround. However, users CAN use ID tokens today - they're just hard to obtain. The proposal should clarify this is a usability improvement, not enabling previously impossible access.

1. Will CLI secret auth support all API operations? Including:
   - System admin operations (/api/v2.0/configurations)
   - User management (/api/v2.0/users)
   - OIDC settings modification
2. Should admins be able to disable CLI secret API auth? A feature flag would address enterprise compliance concerns.
3. What happens to existing ID token integrations during deprecation? Are there any known consumers (CI/CD tools, SDK libraries)?

[malmor]

Hey @Vad1mo, thank you for these insights and feedback!

I see that there are some inconsistencies here, definitely something that needs to be figured / straighten out.

Maybe to address to core difference here: Do you think just adding support for using the CLI secret via the API would also be a valuable change?

This way ...

• Existing integrations will not breaking, removing the need for complex deprecation phases etc.
• For simple scenarios users can opt in to use the CLI secret for authentication, without having to implement the entire OIDC flow
• For advanced scenarios (e.g. enterprise context) users can still implement the full OIDC flow, taking advantage of additional security and compliance features

Do you think this would make a "better" proposal, with an easier road ahead for implementation?