Capabilities
Capabilities¶
Summary
A mytoken can only be used for the actions allowed by its capabilities.
While the primary usage of a mytoken is to obtain access tokens, it can also be used for other actions. Similar to OIDC scopes the capabilities of a mytoken define the allowed actions for that token.
These are the defined capabilities and the actions they allow:
AT¶
This can be considered the 'standard' capability. A mytoken with the AT capability can be used to obtain access tokens.
create_mytoken¶
A mytoken with the create_mytoken capability can be used to create a new (sub-)mytoken. The new mytoken cannot be more
powerful than the original token.
Example
- If the original token expires in 7 days, the new sub-token cannot be valid for a longer period.
- A created sub-mytoken can only have capabilities that the original mytoken already has.
tokeninfo¶
The tokeninfo capability is a "parent"-capability for all capabilities that start with tokeninfo:, i.e. the
following three ones. A mytoken with the tokeninfo capability can be used for all actions that are allowed by any
of these capabilities.
tokeninfo:introspect:¶
A mytoken with the tokeninfo:history capability can be used to obtain basic information about itself. This includes
the token's content (useful for short tokens) and if restrictions are
defined that limit the number of usages this also allows to query how often the mytoken was already used.
Introspection calls are not counted as usages with regard to the restriction.
tokeninfo:history¶
A mytoken with the tokeninfo:history capability can be used to obtain the event history for that token, i.e. this
allows you to see how / when this token was used.
tokeninfo:subtokens¶
A mytoken with the tokeninfo:subtokens capability can be used to get information about all subtokens (and their
subtokens and so on).
list_mytokens¶
A mytoken with the list_mytokens capability can be used to list the revocation id and some basic information about
all your existing mytokens.
revoke_any_token¶
A mytoken with the revoke_any_token capability can revoke any mytoken by its revocation id.
Normally, a mytoken can only revoke itself or a subtoken. This capability allows to also revoke other tokens.
settings¶
A mytoken with the settings capability can be used to change user settings, in particular it allows control over your
so called grant types - these are the methods how you authorize.
Hint
At the moment the settings capability is primarily allows control over the
ssh grant type. In future versions the power of this capability might be extended.
Important
The settings capability is - like the tokeninfo capability - a capability that has sub-capabilities. A
mytoken with the settings capability will also have all its sub-capabilities (and theirs). Therefore, and
because these capabilities are sensitive the settings capability is a really powerful one.
read@settings¶
Allows read access to all user settings, i.e. it includes all capabilities starting with read@settings:.
settings:grants¶
A Mytoken with the settings:grants capability can be used to make changes to the user grants. This means that
additional grant types (ways to obtain mytokens) can be enabled, disabled, and configured.
Currently, only the ssh user grant is available.
read@settings:grants¶
Allows read access to the user grants.
settings:grants:ssh¶
A mytoken with the settings:grants:ssh capability can be used to enable, disable, and configure the ssh user grant.
read@settings:grants:ssh¶
Allows read access to the ssh user grant, i.e. it allows to query the list of enabled ssh keys and if the grant
type itself is enabled or not.