ability to assign roles/permissions to api keys

[bninja]

currently if i create an api key it has full access to the api.

it's useful to be able to create api keys with a limited set of permissions (either by assigning the api key a role or by explicitly setting permissions). this would allow me to e.g. hand out limited permission keys to 3rd parties or give team members limited control over the dashboard.

additionally i'd like to be able to see:

• which triggered events (e.g. which one was used to cancel a credit)
• which where used to access the api (e.g.which one was used to read transaction data).

[mjallday]

Would oAuth be a good solution here? It allows assigning permissions based on URIs (scope) and would allow setting an expiration on keys when they are handed out. It would also make it easy for 3rd party integration.

[bninja]

@mjallday sounds like what oauth (2.0?) was designed for, so yea lets explore using that. i guess the dashboard would be the initial consumer so lets validate our choice that way.

[trea]

I'd love to see OAuth 2 implemented! +1

[mjallday]

We're getting some love for this issue over on the balanced-dashboard as well

[benblair]

+1 We've seen some reluctance on the part of new sellers on our marketplace to trust our assertion that we have the buyer's funds on hand during a transaction. I think it would go a long way if they could verify directly with Balanced that payment for that particular transaction had been received.

[steveklabnik]

This is being worked on, but hasn't been finished yet!

[ariofrio]

Any progress on this? I think this would be not only really useful, but serve as a security feature by limiting what an attacker can do if they gain control of a server that only has access to a limited-permission API key.

[mjallday]

here's the scenarios that we're immediately attempting to address:

• read only access (e.g. let me accountant see my data) - Limited permission API keys #667 (comment)
• read only for a customer (e.g. let my customer see what i'm storing for them) - ability to assign roles/permissions to api keys #290 (comment)
• restrict access to a subset of data (do not allow a user to create transactions, but allow updating customer info) - Limited permission API keys #667 (comment)

@mahmoudimus and I were discussing the implementation details on #667 yesterday, i'll attempt to give an update there with regards to those.

[kyungmin]

read only for a customer (e.g. let my customer see what i'm storing for them) - #290 (comment)

This seems to require a larger effort. The dashboard currently shows a lot of information that's not relevant for them in the chrome (i.e., sidebar menu items, total balance). It means that we need to provide a separate dashboard view specifically for sellers.

[mjallday]

This seems to require a larger effort

The dashboard is not the only consumer of the API.

[kyungmin]

@mjallday I thought #290 (comment) was specifically about allowing the seller to directly view the dashboard. What other cases are we trying to solve?

[sophistry]

We would like to be able to delegate evidence submission tasks (there is no API for dispute evidence submission so someone has to collect the merchant dispute evidence and submit it by typing and uploading files, etc...) so a privilege for access to disputes portal only would be very useful for us to be able to allow an intern to do that (for example).