I’ve searched, but maybe not sure the right key words to do the searching. Here’s what I want to do.
I want to create a windows application that uploads files to my portal. It scans a folder and when it sees a file, it uploads it.
I’m thinking of Outlook, you can go to the website and create a big long password key thing. I’m not sure what it’s called. But once I enter it in to outlook, then my real password doesn’t matter to it. I can change my password all day, but that key is still active.
I want to offer something similar to my users. They enter that key and the application can login all the time and send files without bothering the user.
Brad
Hi @bradsharp54
That sounds like M2M (Machine To Machine) or Client Credentials flow.
You authorize the app instead of the user.
However, the app must be confidential, not public - as the “key” is the client secret.
Or you could have the user authenticate and then get a long lived access token, perhaps combined with a long lived session for getting new access tokens, and have the portal require that access token.
John
1 Like
I was looking into M2M and it looks super easy. I’m just concerned with the limits on it, for the free and essentials options. The 1,0000 authentications doesn’t seem like many and I assume it could run up really quick. I do like that I can only give the m2m application scope of uploading and it can’t do anything else after that.
I considered the device flow, but wasn’t sure how long the session would live for. For security reasons, I don’t have a session last that long after it’s created. Once the browser it closed so is the session. And I think I made re-login only 24 hours or so.
Is there a way to for the user to store their password and the system do a basic username/password/client secret thing to get the auth token? I’m not sure how secure that would be either, but at least the user is still in charge of their password and it would be encrypted in the settings file. I"m just spit balling and trying to come up with a secure option that doesn’t annoy my customers and makes uploading files to me seamless.
My other option is doing an sftp server with a stored username and password too. I don’t like that idea because, the cost of yet another server and anther set of user accounts I have to manage. I might have to anyway, it seems sftp is kind of industry standard for the area I’m working in.
I know once I move to the professional package (which I see/hope happens later) the M2M addon is available. Does that give unlimited m2m authentications? I don’t see much info other that “starting at”.
Hi @bradsharp54
1000 tokens don’t last long, but remember: you can set the lifetime of the token. And since it is a confidential client, it is your backend. So you can make the expiration a long time, say a day, and that would only require 30 tokens per month (assuming you have 1 back end).
John