Hey Gang, Maybe its been answered elsewhere, but is there a guy on setting up a read-only static token? We have flipt server running with Google Auth for web login, but the static tokens give full API access, which we definitely don’t want.
Is there a way to scope rego to do this? Or is there a plan for read-only tokens?
How are other folks handling Feature Flags for Javascript with Web Admin login, but not opening up your server to the world?
Hey @n2p5 !
There are few ways to slice and dice this.
W.r.t to exposing flags to the frontend, you can actually exclude the evaluation API from authentication altogether. It is a bit of a blunt instrument, so not for everyone. But there is space in the configuration to exclude parts of the API if you so wish.
However, as you mentioned, you can also define a rego policy that grants this scope to certain API tokens. A simple policy might look something like:
package flipt.authz.v1
import rego.v1
default allow := false
allow if {
input.authentication.method == "METHOD_TOKEN"
input.authentication.metadata["io.flipt.auth.token.name"] == "read-only"
input.request.action == "read"
}
This would allow any token with a name "read-only" to only have read action scope (to any resource).
Additionally, if you have Google auth (OIDC) enabled and you’re allowing all users to do everything, you would need an additional clause like so:
allow if {
input.authentication.method == "METHOD_OIDC"
}
That would get you all browsers based users access, while allowing for tokens named read-only through for read scoped requests.