I use Long-Lived Access Tokens on various places, such as Microsoft Flow but also locally on my machines. Most services that I use with this access token only needs access to one or two sensors, instead of the full blown permission set that it has now. As it can be hard to store these access tokens securely on a machine (read: not in plaintext), I would really like to give permissions on an entity-level to my Long-Lived Access Tokens.
A thought on this for whoever will implement this:
In my opinion the permissions should not be encoded within the token. I don’t know if someone would even think of doing this, but it would be valid thought since tokens are signed anyways, thus including the permission would seem somewhat secure.
The downside to this approach would be, that in case the secret to sign the tokens would be leaked, it would be possible for an attacker to generate with other permissions, and therefore granting more access than the token is supposed to provide.
So at least to me it would make more sense to assign the permissions separately to some sort of token-id within the token. With this in place HA would just first have to see if the token is valid, and if so, what the assigned permissions are, and based on them allow or reject the requested action.
Thanks for your input Daniel. That’s interesting. Microsoft is doing that with their Shared Access Keys for Azure Storage Accounts: https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sas
I would really love to see this implemented.