Authorization Bearer token

I’m trying to understand the documentation, but I always get to the fact that you need to add the certificate for TLS authentication. How can I set the Authorization Bearer token?

I found this:

stgraber@dakara:~$ openssl req -x509 -newkey rsa:4096 -sha384 -keyout client.key -nodes -out client.crt -days 1 -subj “/CN=test.local”
stgraber@dakara:~$ incus config trust add-certificate client.crt --restricted --projects demo
stgraber@dakara:~$ tls2jwt client.key client.crt now 120
stgraber@dakara:~$ curl -s -k -H ‘Authorization: Bearer XXXXX’ https://localhost:8443/1.0/projects | jq
{
“type”: “sync”,
“status”: “Success”,
“status_code”: 200,
“operation”: “”,
“error_code”: 0,
“error”: “”,
“metadata”: [
“/1.0/projects/demo”
]
}

But from a certain point of view it doesn’t make sense, since once the certificates have been added I could already use those for authentication, considering that they must already be copied onto the client. Since I will always have to generate the token on the client.

The authorization bearer token is mostly used for two situations:

  • Client stack which doesn’t know how to do TLS client certificate authentication
  • Environments where a proxy server sits between the client and the Incus server, any HTTP level proxy will not be able to forward the TLS client certificate and so needs another authentication mechanism. TCP level proxies and load-balancer are fine though, those will pass through the TLS client certificate.

Wouldn’t something like this be simpler:
incus config authorization|bearer add 0|360d

We could add a command to incus remote for you to get a bearer token, but on the Incus side we don’t want to have to deal with anything but TLS certificates, so we don’t plan on letting you generate an arbitrary token that’s not derived from a TLS certificate.

The way bearer tokens are implemented currently is basically the root API handler detects them, validate the token, fetches the matching client certificate and then modifies the request to be identical to if you had used a TLS client certificate all along.