Initial support for authentication with OAuth2 Client Credentials is now available for testing πŸ”

Initial support for authentication with OAuth2 Client Credentials is now implemented to protect the new Prometheus-compatible metrics API endpoint. We also consider using it in combination with 2FA to allow mobile apps and WebDAV clients to access the API when 2FA is enabled.

Specific options for this would be:

  • (a) creating an (expiring or non-expiring) access token through the UI or command line interface that can be configured in apps instead of the username/password,
  • (b) creating a client_id and client_secret and using them in apps instead of the regular username/password (the app still needs to request an access token afterwards), or
  • (c) implementing a flow where apps redirect to your PhotoPrism instance, you grant permission to connect the app, and then are redirected back to the app with an authorization code that allows it to create an (expiring or non-expiring) access token.

Note that method (c) additionally requires the registration of a URI scheme in iOS/Android for the redirect back to an app to work. Also, from what we know, PhotoSync and most other WebDAV clients just support a regular username/password for authentication, which only seems to be compatible with methods (a) and (b) e.g. when you use the client secret or access token as password.

We welcome feedback and any help with testing so that we can improve the implementation if necessary before releasing it! :sparkles:

If you would like to test the new POST /api/v1/oauth/token endpoint, you can use the photoprism/photoprism:test image available on Docker Hub and, for example, run this in a terminal to create a new access token:

curl -Ss -X POST http://localhost:2342/api/v1/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=metrics&client_id=ID&client_secret=SECRET'

Simply replace ID and SECRET with the actual client ID and secret created using the new photoprism clients add command and make sure the base URL is correct, i.e. you may also need to change http://localhost:2342/.


After speaking with @Radiokot, one of the mobile app maintainers, we will probably allow users to create access tokens for apps through the user interface, just like many popular websites/services do.

This corresponds to option (a) and seems to be the easiest to implement in order to replace authentication with a user’s username/password when 2FA is enabled. The best solution to allow WebDAV access with 2FA has yet to be determined.

If you have any other preferences, questions, or concerns, please let us know! :hugs: