Initial support for authentication with OAuth2 Client Credentials is now implemented to protect the new Prometheus-compatible metrics API endpoint. We also consider using it in combination with 2FA to allow mobile apps and WebDAV clients to access the API when 2FA is enabled.
Specific options for this would be:
- (a) creating an (expiring or non-expiring) access token through the UI or command line interface that can be configured in apps instead of the username/password,
- (b) creating a
client_idandclient_secretand using them in apps instead of the regular username/password (the app still needs to request an access token afterwards), or - (c) implementing a flow where apps redirect to your PhotoPrism instance, you grant permission to connect the app, and then are redirected back to the app with an authorization code that allows it to create an (expiring or non-expiring) access token.
Note that method (c) additionally requires the registration of a URI scheme in iOS/Android for the redirect back to an app to work. Also, from what we know, PhotoSync and most other WebDAV clients just support a regular username/password for authentication, which only seems to be compatible with methods (a) and (b) e.g. when you use the client secret or access token as password.
We welcome feedback and any help with testing so that we can improve the implementation if necessary before releasing it! 
If you would like to test the new POST /api/v1/oauth/token endpoint, you can use the photoprism/photoprism:test image available on Docker Hub and, for example, run this in a terminal to create a new access token:
curl -Ss -X POST http://localhost:2342/api/v1/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=metrics&client_id=ID&client_secret=SECRET'
Simply replace ID and SECRET with the actual client ID and secret created using the new photoprism clients add command and make sure the base URL is correct, i.e. you may also need to change http://localhost:2342/.
