Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Jonathan on August 17, 2023, 04:19:00 AM

Title: Curious about API key Session timeout
Post by: Jonathan on August 17, 2023, 04:19:00 AM
Hello everyone,

As a newcomer to OPNsense, I have a question regarding to the API key session timeout. Despite my efforts, I haven't come across any details in the documentation, and I was wondering somewhere in OPNsene has an explicit session timeout setting for API keys. Specifically, I'm curious to know how long the session timeout duration is for API keys before they expire.

If anyone could provide some feedback about this topic, that would be greatly appreciated! Thank you in advance for your help.
Title: Re: Curious about API key Session timeout
Post by: franco on August 17, 2023, 12:52:35 PM
What's your session concern here? Since the API keys require to be pushed always there isn't much an attached session will do so when it times out a new one is created. But this should not matter from the caller side.


Cheers,
Franco
Title: Re: Curious about API key Session timeout
Post by: Jonathan on August 17, 2023, 04:56:52 PM
Thanks for the reply Franco,

Sorry I'm still trying to grasp how API key works, so my concern is "If I have an existing API key that was generated some time ago, would using that key for a new API request still provide me with access?"


Thanks again!

Jonathan
Title: Re: Curious about API key Session timeout
Post by: franco on August 17, 2023, 05:45:13 PM
Hi Jonathan,

API keys are much like user/passwords, but they are not meant to log in and do stuff (in the session) but rather meant to be passed by a script for each single operation. That means sessions are irrelevant since you are practically logging in for each operation.

API keys will not stop working by themselves but their privileges can be adjusted or completely revoked so that the scripts using them will stop being able to do what they are supposed to (because it's no longer necessary or an API key has been compromised for example).

API keys also only work on the API pages, but not the GUI (I'm not 100% sure but for static PHP pages that is true). In that sense they replace the GUI use altogether.


Cheers,
Franco
Title: Re: Curious about API key Session timeout
Post by: mimugmail on August 17, 2023, 08:17:25 PM
I also saw them when logged in via browser for ages and system alteady rebooted
Title: Re: Curious about API key Session timeout
Post by: Patrick M. Hausen on August 17, 2023, 09:34:10 PM
Repeating franco a bit ...

An API key - no matter if it's OPNsense or e.g. github - is a permanent authentication token. Like an SSH key. Once generated and authorized it never changes and there is no "session".

The administrator of whatever application we consider can of course revoke any issued API key any time.
Title: Re: Curious about API key Session timeout
Post by: Jonathan on August 18, 2023, 02:49:59 AM
Beginning with sincere gratitude, I wish to express my thanks to Franco and all the other contributors who have generously shared their answers on this forum, which has undoubtedly proven to be immensely beneficial.

I Look forward to further interactions and discussions on the forum!

Warm Regards,
Jonathan
Title: Re: Curious about API key Session timeout
Post by: franco on August 18, 2023, 07:32:40 AM
We are here to help after all :)


Thanks,
Franco
Text only | Text with Images