Application Tokens - using tokens to not use passwords

Date: Message-Id:
Tags: #security(3)

I was looking at a tool to send matrix messages from the CLI, and it got me thinking about how we handle authentication for tools like this. I don’t want to give everything my password, especially if it doesn’t need permissions to do literally everything that I can do.

Instead, let’s have the ability to generate tokens that have a restricted scope. github actually does do this, when you go to make a “personal access token”. You can use that token in place of a password when doing operations. But everything that has the concept of a login should have this, and make use of it. Don’t make me register an app or do anything more than just generating a token.

This isn’t meant to be a replacement for OAuth, which should be used by “proper” applications. This is instead for small utilities that need to run and do something to your account, but doesn’t need the ability to do everything.

When you authenticate to a device with a username/password, you’re given a root token. This is what you store locally, and doesn’t leave your device.

Any token can create a subtoken, and revoking a token will revoke that token and all subtokens it made. Subtokens can never have more permissions than the token that created them.

If you want to authorise an application that only needs, say, write access in a particular room, then you generate a token that does exactly that. The UX for this in matrix could look like a list of rooms to apply to, and a list of allowed actions, and the given action must fit both. For example, create_message AND in:#522-notifications.

For the purposes of bot notifications, you could attach a specific name to the token, which is then used for the created messages. That way, you can see what specifically posted the message, even though it would still be posted as your account.

After making this token, you can hand it out to whatever service needs it, such as your backup program so you can get notified when your backups finish or errored. Because we know you won’t check that manually.

Another use case for restricted scope here is logging in on semi-untrusted devices. If you can avoid actually entering your username/password, by using a phone or similar, you can make a token that doesn’t allow for more dangerous actions like message creation, but instead just allows for message reads, and is time limited for 1 hour.

Discord has a “log in with QR code” option, where the phone is logged in and is granting permission to a desktop device. But how cool would it be if you could log in under a restricted form if you just want to browse for a bit? Maybe require re-authentication if you send a message, and then only allow sending messages to that room. That would greatly mitigate the damage caused by hostile devices. This would need to be a separate button on the phone end, since otherwise the hostile device could just ignore it and log in anyways as a full user, and then Free Nitro At Disc