[API] - Configurable Scoped Tokens
Currently, the API token can be used to impersonate anyone in the account. This gives the API token great flexibility, but also carries with it a lot of risk.
To give an admin more complete control of the functions available to an external app or service that authenticates via an API token, the API token manager should allow admins to limit token access by Product as well as Scope.
This would mean, when creating a token, an admin could create one for managing Guide articles:
- Product: Guide, Scope: Read / Write
And another for reading off a list of current macros in Support:
- Product: Support, Scope: Read Only
Finally, under this scheme, it would be useful if a token could be configured to multiple products, with a specific scope per product. For example, suppose an admin wanted to create an integration that allowed her to grab some common FAQs in Guide and turn them into macros. The API token for this integration would be scoped thus:
- Product: Guide, Scope: Read Only; Product: Support, Scope: Read / Write
This type of configuration ability could be really helpful in guaranteeing that some applications, for example, can be used to manage Guide articles, or Chat conversations, but can't dip into the Support data and read off customer information or ticket details.
This would be really helpful for providing an additional layer of security for Zendesk admins with regard to API integrations.
-
Thank you for the feedback Zac. As you noted, there's a lot of power with "API Tokens", which can be turned off if this doesn't meet someone's needs or the token can't be securely maintained.
The real solution here is to use OAuth tokens instead. Those do have more limited scopes, along the lines that you mention. As the platform moves forward, how granular authorization is and these different options are going to be looked at, so expect changes that make the product even more secure. Thank you again!
-
Thanks Bryan! I appreciate your help on this. Quick question: is it true that when the OAuth scope requested by the application is changed by the application publisher, that Zendesk forces an admin to re-authorize the app?
댓글을 남기려면 로그인하세요.
2 댓글