Is it possible to perform RPC calls using user application authentication?


(Felipe Morato) #1

I would like to avoid maintaining an API for certain application using user_application. Is it possible to use Tryton’s RPC interface using user_application?


(Cédric Krier) #2

No, the _dispatch method (responsible for all RPC calls) is decorated by @app.auth_required this decorator support only session and login/password type of authentication.
I do not think it will be good to add support for user_application because this will give full access to any API to the owner of the user_application key which is aimed to be given to third party.


(Felipe Morato) #3

Indeed not good.

But in order to be given an user_application key, it requires the third party to have an user account and manually activate it through the user preferences.

So the third party already has full API access.

From the user_application docs:

After the creation, the key must be validated by the user from the preferences of a Tryton client.


(Cédric Krier) #4

No, the third party make a request to create a key and then the corresponding user validate the request in his profile. So the third party does not need to have login access.


(Felipe Morato) #5

I am trying to understand the use cases and workflow of how user_application is used.

At first I thought that this feature is for internal use so that employees can access functionality through an specified application. But now I’m not sure how a third party fits into the scenario.

So, for example: employee37 gives his username for third party to request a key to access the application.

Or is employee37 supposed to create a new user in the system for the third party and give only the username so that they can request a key and employee37 would then activate the key for the third party.


(Cédric Krier) #6

Yes but only for the specific application name which is linked to a specific API (only route decorated by user_application of the same name).

No, user should not create new user for third application. You must see it like when you register third application to your Twitter or Facebook account.

The first user application is Chronos, it is deeply linked with the user-employee as it create time-sheet for him and it can only use the timesheet user_application (see timesheet/routes.py).


(Felipe Morato) #7

Thank you for the more detailed explanation.


(system) #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.