0033489: User authentication using REST API in different web applications (For example a Symfony web-app) - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0033489	mantisbt	api rest	public	2024-01-09 05:31	2024-01-10 04:01

Reporter	keessonnema	Assigned To
Priority	normal	Severity	trivial	Reproducibility	N/A
Status	new	Resolution	open
Product Version	2.26.0

Summary	0033489: User authentication using REST API in different web applications (For example a Symfony web-app)
Description	I have asked this question a few years ago, but it wasn't as thought through back then. We are working on a tool to improve the quality of bug reports we get from clients. We created a report-page with a 5W1H-like form in a Symfony application. My question is if MantisBT supports (or will in future support) an authentication method to login in another web application using MantisBT user credentials (from the MantisBT database). The REST API would in my opinion be a good starting point to add authentication (using the generated token to handle issues). At the moment I don't know how to get the username or token from a user that is logged in in MantisBT, but needs to fill in the 5WH1 report form. Our application consists of 500 active users and a way to implement our own report-page using the REST API would be ideal. I'm open to suggestions and/or discussion about this topic, as I don't know if something like this is possible. I'm not super familiar with (o)auth or LDAP auth to understand how this could work. I am however a PHP developer, so technical discussions aren't a problem.
Additional Information	Using MantisBT 2.26.0
Tags	No tags attached.

dregad 2024-01-10 04:01 developer ~0068441	The REST API only supports Tokens authentication. In 2.26.0, we introduced new endpoints to manage user tokens (see 0032245 and the documentation but the /users/me/token endpoint actually requires a Token so the snake is biting its own tail. Consuming /users/:user_id/token with a privileged service account may be an alternative to create a user-specific token, but that does not let you authenticate and validate the user's password for a SSO scenario (assuming you need them to login into your bug report app with their MantisBT credentials). The legacy SOAP API works with User/Password auth, so you may be able to leverage that somehow. For a different, more hackish way of doing things, you could also try to use the MantisBT session cookie via the core API functions, which is how the DokuWiki integration was implemented for this tracker (see https://github.com/mantisbt/dokuwiki-plugin-authmantis). There is also a long-standing request 0011219 to introduce OAuth authentication but that is not going anywhere soon. Hope this helps.