#28564 OpenAPI: Accept authorization token, even if it contains no user information

Enhancement

Major

#28022

TL-Script: Access to application configurations

#28173

TLScript: new function for parsing Excel files

#28310

Layout editor: Process view

#28532

New TL script function isCompatibleValue()

#28539

TLScript-Funktion für den Zugriff auf konfigurierte Formate

#28550

Prevent leading and trailing white space for model-based fields

#28558

OpenAPI: Enable multiple alternative authentication mechanisms for the same API

#28564

OpenAPI: Accept authorization token, even if it contains no user information

Detail

#28523

Option list is not updated if the options are calculated via configured scripts

#28541

Make lock strategy available in templates for Grid and Tree-Grid

#28542

Support for SQL "like" construct

#28561

Dynamic file names for (Excel) downloads

Bugfix

Major

#28578

Oracle JDBC driver update: Bug "ORA-01461" in JDBC driver

Detail

#27975

Excel export in model editor has wrong command group

#28303

Customize documentation for integrating icon fonts

#28375

Overwriting I18N attributes makes existing values unreachable

#28445

Ignore the selection column for the "Automatically adjust column widths" function

#28529

NullPointerException for modifiedRevision() on new compositions

#28531

Pressing ESCAPE or ENTER after a reload throws an error and triggers a reload

#28540

Backward references in transient objects are not resolved correctly

#28552

Replace the obsolete term "Wrapper" with the current term "TLObject" in the CompositionFieldProvider class.

#28553

Type conversion error for calculated columns of type tl:core:Duration

#28555

Images in HTML attributes are only displayed after saving

#28557

Size restriction for the "street" attribute of a company contact too strict

#28563

JSON: NumberFormatException when parsing large integer values

#28565

CSS class ' tblRight' does not apply for fields in edit mode and in the header

#28566

Consider composition attributes Do not include dynamic designations in the table title

#28570

Missing Validation of OAuth State Parameter

#28582

ClassCastException when selecting all rows in table

#28584

Template for tables with "resetInvisible" option

Enhancement

Major

#28564

OpenAPI: Accept authorization token, even if it contains no user information

DifaV7 OpenAPI

An authorization token may also be issued for a technical user (with only client credentials). API requests with such a token should not generally be rejected.

A token introspection response could look like:

{ "active":true, "client_type": "confidential", "token_type": "Bearer", "exp":1742811704, "client_id": "XXXXXXXXXXXXXXXXXX" }

The authorization information could also be made available to the executing script. In the script above, access checks could be required depending on the authenticated client ID.

On the other hand, for requests that are not handled in user context (for which no application user can be identified), it could be beneficial, if the request could be mapped to a system user in which context the request is executed and which is available for checking roles an permissions.

Improvement

A technical user account can be configured for an API key. Requests for this API key are then executed in the context of this user account.
With OpenID authentication, a mapping from client ID to technical user can be configured if authentication is to take place in the user context. If the token introspection response does not provide a user name, a technical user name is searched for the client ID in the context of which the request is to be processed.

Test

Configure API with OpenID authentication in user context and mapping of client ID to technical user. Request API with token without user context.
Configure API key with technical user and make request with this API key.