Skip to main content

Hi there,

I was wondering how one would go about representing a CDF Client credential as a connection string.

The main idea is to have a single string representing the credentials needed to connect to CDF. The connection string itself should be unwrapped by whatever client it is passed to (Python SDK, JS SDK, etc), and should of course not be sent as part of the request to the API.

For tenants using API-keys, something like this may make sense:

cdf://CLIENT_NAME:API_KEY@api.cognitedata.com/PROJECT_NAME

However, using tokens instead of api-keys is a bit trickier:

cdf://TOKEN_USERNAME:TOKEN_SECRET@api.cognitedata.com/PROJECT_NAME?token_url=TOKEN_URL&token_scopes=TOKEN_SCOPES

Naturally, it is possible to but anything in the URL parameters, but generalizing the username, password and path-properties would be great.

Some challenges that come to mind:

  • How to differentiate between different authentication methods (i.e. api-keys and tokens
  • Is it possible the keep a consistent scheme regardless of authentication method? I.e. always format the path as “BASEURL/PROJECT_NAME”, keep username/password fields the same, etc?
  • Should client name be part of the connection string?
  • Is this even a good idea?

 

Hi thomasfred,

Thank you for providing feedback. We always look to improve the user experience using the SDKs, especially when it comes to an important feature such as authentication.
Currently authentication lives outside the JavaScript SDK, meaning some code needs to be written for both API and OIDC authentication. See code samples. A next iteration of this, we will aim to reduce the amount of code the user will have to write. There are a couple of ways to approach this, your suggestion being one of them.
To answer your questions, we would only offer using tokens more specifically (OIDC) at the start with API login being the same as before. Benefits of having a CDF Client connection string lie in its simplicity. But this also comes with drawbacks such as reduced security for the client secret. 

In general, I completely agree that there should be a standardised approach to authentication across all SDKs and that is something we aim for.

Kindest regards
Omar


This is very useful, thank you :)


Sorry, but I dont see the code-samples that are referred to by @omarakabbal . Attachments / links?   


Hi Andreas, Here is the link to the code samples mentioned above: https://github.com/cognitedata/cognite-sdk-js/tree/master/samples/react. If you are using node.js here are the code sample for that: https://github.com/cognitedata/cognite-sdk-js/tree/master/samples/nodejs. Let me know if this helps :) 


Reply