External auth and API

[till]

Using Portainer v1.22.0

---

We purchased the external auth extension.

When enabled, a user via an external OAuth 2.0 server is unable to use the API of Portainer. The problem seems to be that there's no way to provide an access token to Portainer, which would then get exchanged into a session for Portainer.

Instead of e.g. redirecting the user, a resource owner password credentials grant is missing. E.g. asking the user for their login/password on the application, and doing OAuth in the background (to obtain an access token, etc.).

Is there anything we're missing?

[deviantony]

@till are you trying to authenticate through the API using the external authentication extension?

[till]

@deviantony Yes, so this is the scenario:

• we wrote a CLI tool to create stacks and to deploy them
• the CLI has to authenticate with the Portainer API
• a developer (or a "machine account") uses this tool to work with Docker instances
• the account for the developer or machine is in OAuth 2.0

---

I can't troubleshoot more, the external auth code is somewhat hidden. Looks like a go binary that is downloaded. But it seems like the extension doesn't work with an access token. Only with the authorisation code. It's hard to "inject" that with a proper OAuth 2.0 flow. We have custom hackery, but it would be great to avoid this.

[deviantony]

Ah, yes. The External authentication was not designed for machine accounts (since its goal was to leverage the OAuth provide 2FA).

I believe that you're looking for an API token for machine accounts: #813

[till]

@deviantony well, machine account or not.

It doesn't work for regular users either. When they deploy from the command line.

Another OAuth 2.0 flow would solve this. One could generate tokens on the OAuth end and use these to authenticate (similar to what Github provides). But even Github's OAuth will not work with the extension as it currently stands.

[deviantony]

Ok, I'll tag this as an enhancement.