Authentication feedback

Here are some quick thoughts in case they help.

  • Debugging auth is a black box. It would be lovely to be able to test auth for a given identity as an admin (e.g. in the dashboard) and actually get some feedback on exactly which auth check turned the access away. Something like explainAuthQuery(identity, query), for instance.
  • It would be cool if we could have access to the token data in our predicates–something like TokenData(), roughly parallel to Identity(). That would make it possible to create tokens that were limited to certain uses or functions (e.g. a refresh token can only be used to get a new access token, and not do anything else; or a token on behalf of a user that has other restricted permissions for running jobs; and so on).
  • I find the ability to create tokens outside of Login to be very useful. As databrecht explained to me awhile ago in the forum, it can be used for relying on another oAuth source, or building anonymous users that can write to the database and have their accounts promoted to a full identity, retaining their anonymous activity. These are both fairly common use cases. I don’t see docs about this approach to creating tokens. In particular clarifying that you can also attach ttl and data (e.g. Create(Tokens(), {instance: Var("accountRef"), ttl: Var("ttl")})) is something I guessed and then confirmed through experimentation, but would have been easier to read.

No blockers, just sharing feedback and ideas! Thanks.

Great feedback @garyposter, thanks :slight_smile:

Auth debugging: you’ll be happy to hear that we are working/planning on a feature to allow you to impersonate a given identity or role int he dashboard and there are also plans for an explain functions for authorisations. This will allow you to test a given identity, I’ll add your request on the relevant tickets.

TokenData: we already have a ticket for this one as well :slight_smile:

Create Tokens TTL: I’ll make sure that I provide that feedback to our docs team.

1 Like

That’s great to hear, @databrecht, thanks!

I’m especially pleased to hear about the upcoming auth debugging improvement. I lost some time yesterday to discovering that function roles don’t union with the user’s permissions but replace them. I had to test and discard a number of other possibilities before I got to that one. Maybe that’s another one for the docs.

While I have your attention, did you happen to take a look at my follow-up to Unexpected (buggy?) Unique Index behavior ? Jay said that it was expected behavior, but I felt I made some reasonable counterpoints.

Thanks again,