CKAN API: Legacy API keys being retired, replaced by API Tokens

[robredpath]

We are in the planning staging of upgrading the version of CKAN on the Registry from v2.9 to v2.10. One important change that's happening is that Legacy API Keys are being removed, and API Tokens will be the only way to authenticate API users.

See the CKAN API documentation and 2.10 changelog for more information.

I have two questions.

Firstly, does Publisher currently use Legacy API Keys or API Tokens? If Legacy API Keys, what would be involved in refactoring to use API Tokens?

Secondly, does the removal of Legacy API Keys result in users having to take any action, or can all necessary actions be taken by YI?

[robredpath]

@praweshsth this is the GH issue I mentioned on our call just now

[praweshsth]

@robredpath Changed this to discussion. It will stay in discussion. We will look into it and provide you response on this soon.

[Sanilblank]

@robredpath Regarding your two questions:

1. Currently publisher allows users to publish their activities using both API keys as well as API tokens, the system has not set any kind of restriction. This is because, we are using the api provided by IATI itself to confirm whether the token/key provided by user is valid or not.
   If IATI registry updates the said api to not allow the IATI key to be valid, then the publisher system will automatically start treating the IATI key as invalid and so the users will need to generate new IATI tokens from the IATI registry and will need to update the publishing info data in IATI Publisher to be able to publish their files.
   The api which I have mentioned above, the one responsible for determining whether the API key/token used by the user is correct or incorrect is:
   https://iatiregistry.org/api/action/organization_list_for_user
   In this api, we pass the API key/token of the user as the authorization parameter.

2. Once the IATI registry removes the validity of legacy API keys, the users who are currently using such API keys will need to login to the IATI registry and generate new API tokens which will then need to be updated in IATI publisher system for the system to be able to publish the activities and organisation.

cc. @praweshsth @PG-Momik @A4family

[robredpath]

Thanks @Sanilblank ! Can you check how many Publisher users do currently use API Keys? I understand from the CKAN API docs that API keys look like UUIDs and therefore should be fairly easy to find.

API Tokens have been the default since CKAN 2.9 which hopefully means not too many users will use them!

[Sanilblank]

@robredpath After checking the production database, I have created the document and listed all the publisher who are using the API keys. Also, I found that some publishers have not input the API token field at all, which will result in them not being able to publish their data, so I have also attached the document containing the information about such publishers.
Note: The migrated_from_aidstream shows whether the organisation was migrated from AidStream or not where 0 represents false and 1 represents true.
orgs_using_old_api_keys.xlsx : 21
orgs_with_empty_api_token.xlsx: 5

cc. @praweshsth @PG-Momik @A4family

[robredpath]

@Sanilblank I have edited your comment to remove the links to the files: we should never be sharing information about users in public forums, including GitHub. That was why I asked "how many", rather than "which users".

However, thank you for this information. I can see that there are a relatively small number of organisations; we will consider how best to proceed.

[robredpath]

We've been running some monitoring on the IATI Registry and we can see that the number of people using API Keys is decreasing as tool providers make the switch for their users. I'd like to address the 21 IATI Publisher users who still use API Keys and replace them with tokens.

As I understand it, YI have sysadmin access to the IATI Registry, so I think you're able to do all of the necessary steps yourselves to move publishers away from keys to tokens by just logging into the Registry, generating a token for the relevant user, and entering it into the Publisher interface (or database!).

Please can you let me know if this is correct @praweshsth (or @Sanilblank ?) and if there are any barriers to you proceeding with this?

Thanks! (cc @emmajclegg )

[emmajclegg]

To confirm here - I've generated API tokens for each of these 21 organisations and replaced the API keys they were using in IATI Publisher.

[praweshsth]

Do inform us, if there are issues regarding it.