I’m trying to understand the documentation, but I always get to the fact that you need to add the certificate for TLS authentication. How can I set the Authorization Bearer token?
But from a certain point of view it doesn’t make sense, since once the certificates have been added I could already use those for authentication, considering that they must already be copied onto the client. Since I will always have to generate the token on the client.
The authorization bearer token is mostly used for two situations:
Client stack which doesn’t know how to do TLS client certificate authentication
Environments where a proxy server sits between the client and the Incus server, any HTTP level proxy will not be able to forward the TLS client certificate and so needs another authentication mechanism. TCP level proxies and load-balancer are fine though, those will pass through the TLS client certificate.
We could add a command to incus remote for you to get a bearer token, but on the Incus side we don’t want to have to deal with anything but TLS certificates, so we don’t plan on letting you generate an arbitrary token that’s not derived from a TLS certificate.
The way bearer tokens are implemented currently is basically the root API handler detects them, validate the token, fetches the matching client certificate and then modifies the request to be identical to if you had used a TLS client certificate all along.