Context of the ask:-
Issues with a functionality on Agility platform “Token Issue”
We have been notified by our system architect team of the security issues caused by one of the functionality in Agility.
In Agility, users can generate their own tokens for API connectivity. This process needs appropriate governance, as of now all the agility users can generate a token and have API connections to any application. We have noticed a few anomalies in these connections and as of now we do not have the visibility of these connectivity (what are these connectivity used for). So we would like Digital.ai to provide a solution to have visibility on these tokens and provide a systematic governance for the same as the token access is considered to be lacking the appropriate controls.
Steps to create the tokens are provided below :-
Step 1- any agility user can generate a token by selecting their profile, once they click on the profile, there is a drop down with 4 options and one of it is “Applications” as shown in the screenshot below
Step 2 - Once they click on the application drop down, It will open up to a new page as shown below. In this page the user can select a Public/Personal token.
As shown in the screenshot below the public token is created for anyone in the company to use and the personal is for the use of the agility user only
When the user clicks on personal. The next step is to enter the application name and the token will be created as shown in step 3
Step 2.1 - if the user clicks on Public, there would be a list of applications associated with the user and they can select the application to have the API connect from there.
Step 3 - Once the selection is made the token is generated and a message is displayed that the user will no longer be able to copy the access token once the box is closed. So the users will have to copy the token by clicking on copy to clipboard
Step 4 - Once the token is copied the API connection is made. As shown in the screenshot below
As you can see there is no governance in place for creating these tokens. The “Description” box is not available and not made mandatory for creating the tokens, So it makes it difficult for us to have a clear view of what these tokens are used for and what applications are connected to agility.
We have observed a few anomalies as shown below, where one of the users has a connection to linkedin which is not an official airbus application.
This is just of of the many examples what we have currently in Agility
So we require Digital.ai to provide a solution for this issue. As it is a serious threat to the security of agility data. Although we can revoke the tokens, but this will create a bad customer experience and the possibility for the customer to create another token is always open.
Below are few asks from our end to resolve this issue :-
We want users to describe the details of token usage for API calls. So one description box should be available to the user while creating a token and it should be mandatory
Allow Agility admin user to approve newly created token, so that token usage will be under control
While creating the token, restrict user by asking user to select list of APIs to be allowed for this token
Create a Governance platform for the tokens created
We want a Rate limit feature, where users are allowed to consume Agility API based on limitation.
Limitation can be based on number of requests allowed per second for a given token
Dashboard or Page showing statistics about the usage of token
Actively used token
List of API consumed
List of failed API call
List of success API call
thank you in advance for your support
by: Apoorva R. | 6 months ago | Tracking
Comments
Thank you for submitting this idea, this approach to API tokens is a common practice in software. However, there is always room for improvement. let us review! Does this resonate with others here in Ideaspace?