Fix authentication for Seafile 11 by replacing Bearer tokens with Sea… #47
Conversation
|
@apdavison I don't believe I can create tags. Can you create tag 0.6.2 , and trigger a pypi release? |
|
I think I approved this too soon. The CI tests are failing, and the unit tests also fail locally. I'll look into it further. |
|
I don't understand how this could help users ? To obtain a seafile token, you need a Bearer token, users in seafile doesn't have password, it's all through OIDC or OAuth2. How the OIDC token is exchanged for Seafile token ? |
|
You're absolutely right that Seafile users do not have passwords and that authentication must happen through OIDC/OAuth2. In Seafile 8, the EBRAINS-specific middleware allowed:
In Seafile 11, this custom middleware is no longer active, so the API rejects EBRAINS Bearer tokens. So, what this PR actually does ? It implements a client-side token exchange, where: The caller still provides an EBRAINS OIDC Bearer token. The library calls /api2/account/token/, the endpoint returns a Seafile API token. All subsequent API calls use:
This does not change how users authenticate. With this token exchange, the library can continue to function even if the server no longer accepts OIDC Bearer tokens directly. Once the EBRAINS OIDC token will be accepted on Seafile 11, the token exchange layer can be removed again. So the PR should be a temporary fix, not the long-term solution. I was not cery clear on my PR comment, sorry for that. |
Fix authentication for Seafile 11 by replacing Bearer tokens with Seafile API token
Seafile 11 no longer accepts external OIDC Bearer tokens (this was supported in
Seafile 8 through a custom EBRAINS middleware that has now been removed).
The API now requires a Seafile-specific API token generated via
/api2/account/token/.This commit adds the OIDC → Seafile token exchange and updates all API requests
to use
Authorization: Token <seafile_token>instead of the previous Bearertoken.
This ensures compatibility with Seafile 11 and restores authenticated access.