I’ve been investigating how to create some kind of “API Token” that can be used to authenticate a user without the need of its password. The general use case is as follows:
- User: The user logs in with his account (username:password)
- User: The user create an API Token on our dashboard
- System: Generate said Token
- User: Configure the token inside a separate application (but no password)
Worth noting that step 3 and 4 could potentially be done several times, and is fully in control of the user.
So far I’ve been thinking about doing this with a long-lived token generated into a separate client (due to the need of long-lived session configuration) so that the session stays open and can be cleared out when needed.
I read that we can create a client for this, but then I’m not sure how this should be configured to make sure the client has the exact same group/role/permission than the user.
Does this sound like a good idea or am I over-complicating it?
Is there any other way that should be the “normal way”?
Thanks in advance for the insights!