2

So this is in addendum to my question posed here. Thank you to @dessert who helped a lot with that question.

So I am trying to authenticate a Gitlab user by using their username and password, and not by creating an impersonation token. At the moment, the code that @dessert has created that uses an impersonation token to authenticate a user is as such: 

$ curl -d '{"title":"test key","key":"'"$(cat ~/.ssh/id_rsa.pub)"'"}' -H 'Content-Type: application/json' https://gitlab.com/api/v4/user/keys?private_token=<my_access_token>

Mainly focusing on the `private_token=, except with the creation of an impersonation token found here

$ curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" --data "name=mytoken" --data "expires_at=2017-04-04" --data "scopes[]=api" https://gitlab.example.com/api/v4/users/42/impersonation_tokens

I want to be able to use the username and password of the Gitlab user to authenticate them. I've seen this done with Github, and have done it myself:

$ curl -u "USERNAME:PASSWORD" --data "{\"title\": \"TITLE\", \"key\": \"$(cat ~/.ssh/id_rsa.pub)\"}" https://api.github.com/user/keys

Where USERNAME and PASSWORD are authenticating by user-inputted username and password.

I don't need help with reading input of the user; that's not the issue. My issue (to sum up) is to be able to authenticate a Gitlab user through their username and password.

Again, thanks to @dessert for the help, and any other assistance is appreciated!!

A quick edit: I found this forum post for authentication with login and password, and most are saying to use a Personal Access Token. Does this mean I have to get the user to give me their PAT for authentication? Or do I provide my PAT and somehow it does something? (I was a little unclear on this)

a.mosallaei
  • 345
  • 1
  • 3
  • 12
  • No need to mention me. ;) It’s late here and I’m going to bed now, but I think the [Resource owner password credentials flow](https://docs.gitlab.com/ee/api/oauth2.html#resource-owner-password-credentials-flow) comes close to what you want. Are you in a situation where you can safely ignore the many warnings there? – dessert Aug 01 '19 at 22:54
  • Or maybe better [create an impersonation token](https://docs.gitlab.com/ce/api/users.html#create-an-impersonation-token)? – dessert Aug 01 '19 at 22:57
  • 1
    Ah, I see it does come close. Yes, I do understand the many warnings that come with doing this, however the entire purpose of the shell script is to install a security software on a computer. If we can't make submitting username and password safe, then that kind of puts a bad rep to our application ;). Again however, I have discussed these options with my group that is building the shell script, and they all agree we should user username and password authentication. Thank you however – a.mosallaei Aug 01 '19 at 22:58

1 Answers1

1

So it seems as if this question is not receiving that many answers. I would like to share my answer to this: do not implement this.

I figured this out after finding out that what I actually thought this verification was would download a private repo on Gitlab. HOWEVER, it does not, as it depends on the account of the user that is linked to the repo.

My solution is to warn them that before they continue the script, they add the SSH key to their account. Not a sure-fire way to work always, but it seems to work for me at the moment.

Thanks :)

a.mosallaei
  • 345
  • 1
  • 3
  • 12