Implement API Bearer Token support

[col-panic]

These are the current authentication methods https://www.redmine.org/projects/redmine/wiki/rest_api#Authentication for the redmine api.

What is missing here, is the Auth Type "Bearer Token", which may then be an oauth2 access-token.

It might be a better approach, however, to use a JWT based validation here (like e.g. the solr jwt auth https://solr.apache.org/guide/solr/latest/deployment-guide/jwt-authentication-plugin.html) (REF
https://www.redmine.org/issues/25140)

[picman]

I think that you should use Redmine standard API access key instead.

[col-panic]

Technically ok. But not as secure.

Why?

• Redmine API keys are barely (if at all) rotated. Stealing such an API key in some way is thus a real problem.
• Supporting this Bearer token is much more secure, as they normally are only valid for 10 minutes.

[col-panic]

Consider the following scenario. I have only openid accounts enabled, local passwords are not really set. Now I have an external script, that wants to use the Redmine API to perform some tasks.

At the moment the only possible approach is for the user to log-in via the browser and copy the API access key and paste it into my external tool. (Generally the time those redmine api tokens last is very bad. One should introduce a regular rotation of this key.)

We should at least discuss an endpoint to gather the current redmine api key by providing a valid access token for the configured openid identity provider.

[col-panic]

I would propose, that in addition to the authentication methods described in https://www.redmine.org/projects/redmine/wiki/rest_api#Authentication this plugin should "listen" for HTTP Header Authentication = Bearer xyyxyx.... and validate it the provided token against the given openid endpoint and/or if it is of type JWT like keycloak proposes, validates the token using the IdPs public key.

[col-panic]

Interesting in this aspect https://www.redmine.org/issues/41220

[col-panic]

I have a very interesting example, which is how I think it should work in redmine too, the following NGINX location configuration protects the calls by using the JWT access module:

location /protected {
	# https://github.com/kjdev/nginx-auth-jwt
	auth_jwt "closed site";
	auth_jwt_key_request /jwks_uri;
	set $expected_role '["protected-access"]';
	auth_jwt_require_claim realm_access.roles intersect $expected_role;
}

If I post something here, than only if the JWT Token is valid, and has the realm_access.role "protected-access" then it will be allowed.

This plugin should enable API calls to behave like this. It is far more secure to use a short-lived token to perform API accesses than the everlasting api key used by default in redmine. There should be even an option to disallow the api token.