Token Management

As a commitment to an always improved security, Nuxeo Online Services delegates authentication to Okta. This allows us to secure it in an advanced way, and provide additional security options.

Therefore, whenever you are executing commands in our clients and APIs that require authentication, your password can't be used — a token should be used instead.

Future Change

Tokens will become the mandatory way to authenticate for all our tools and APIs. We strongly recommend doing the switch as soon as possible to prevent any breakage in the future.

What is a Token

A token is a randomly generated string that can be used as a replacement for your password when authenticating to our services. It is meant to be used as a replacement for your password in all places where you would need to write down your password, but doing this would disclose it, for instance in configuration files.

When to Use a Token

Tokens need to be used as a replacement for your password in Nuxeo Online Services APIs and our command line tools, whenever you need to authenticate. Examples:

In your continuous integration / continuous delivery chain, to have your software authenticate against our Maven private repository
To trigger a Studio release through the REST API,
When using our command line tools with options that require authentication. For example, registering an instance using nuxeoctl, linking your Studio project to your Java development project in Nuxeo CLI
When using Studio Designer Git Access for faster development
When mirroring private artifacts (like a Nuxeo Studio project) using Nexus

For more details on when to use the token, see the token usage section of this page.

Tokens are only used for command line tools and APIs. You still need to use your password when you log in to Nuxeo Online Services in your browser, for example when accessing Nuxeo Studio.

The NOS token authenticates to https://connect.nuxeo.com, where the Studio project comes from. The NOS token cannot be used to authenticate to https://packages.nuxeo.com, where hotfixes are located.

Creating a Token

To generate a token:

Login to Nuxeo Online Services,
Visit the My Tokens tab,
Create your token using the corresponding button and provide a clear name for it (ex: "CI Chain"). The name has no impact on the token. It is meant to remind you where / how do you plan to use it, which is very important in case you need to revoke it.

Your token will be shown only once, so save it in a secure place, like a password management application.

We recommend using a different token for every tool or service you plan to use. This reduces the impact of revoking a token if you need to do it in the future.

Using your Tokens

Procedure of using your token is the same as using a password — enter it when prompted, or store it in your configuration file if you are using automated tools. Some examples can be found below:

Nuxeoctl

When using a command that requires a password, nuxeoctl prompts you for your token. Example:

./nuxeoctl register
Username: [enter your NOS username]
Please enter your token: [enter your token here instead of your password]

Nuxeo CLI

Nuxeo CLI prompts for your token when needed. Example:

me@my-computer:~/my-java-project$ nuxeo studio

dxxxxxxxxxxc    oxxo       lxxx lkkl       ;kkk
dxxxxxxxxxxxd;  oxxo       lxxx lkkkx:.  ,dkkkx
dxxc       lxxo oxxo       lxxx  "okkkkokkkkd,
dxxc       lxxo oxxo       lxxx    .dkkkkkk.                  Welcome to
dxxc       lxxo oxxo       lxxx   ,dkkkkkkkk,                     Nuxeo CLI
dxxc       lxxo "oxxcccccccdxxx ,kkkkx" "okkkk,
loo;       :ooc   "cooooooooool xkko       ckko

:cc,       ;cc;                 oxxxxxxxxxxxxxo
dxxc       lxxo                 oxxxxxxxxxxxxxo
dxxc       lxxo                 oxxo           
dxxc       lxxo                 oxxxxxxxxxxxxxo
dxxc       lxxo                 oxxo           
"cxxoooooooxxxo                 oxxxxxxxxxxxxxo
   xoooooooxxxo                 oxxxxxxxxxxxxxo

lkkl       ;kkk oxxxxxxxxxxxxxo xooooooooooo,  
lkkkx:.  ,dkkkx oxxxxxxxxxxxxxo lxxxxxxxxxxxxb;
 "okkkkokkkkd,  oxxo            lxxd       :xxx
   .dkkkkkk.    oxxxxxxxxxxxxxo lxxd       :xxx
  ,dkkkkkkkk,   oxxo            cxxd       :xxx
,kkkkx" "okkkk, oxxxxxxxxxxxxxo  "oxxxxxxxxxxxx
xkko       ckko oxxxxxxxxxxxxxo    :xxxxxxxxxxx


     info You are going to link a Studio project to this project.
? NOS Username: [enter your NOS username]
? NOS Token: [input is hidden] [enter your token here instead of your password]

Maven

Your token needs to be stored in your .m2/settings.xml file, where you would usually put your password. For more details, go to our Maven configuration page.

Studio Designer Git Access

Check our Nuxeo Studio Designer Git access documentation for more details.

Nuxeo Online Services REST API

When triggering a Studio project release through the Nuxeo Online Services REST API, use your Nuxeo Online Services username and replace your Nuxeo Online Services password with your token.

Nexus

In your Nexus configuration, use your Nuxeo Online Services username and replace your Nuxeo Online Services password with your token.

Other Tools

Any other tool behaves the same as above: use your Nuxeo Online Services username and replace your Nuxeo Online Services password with your token.

Revoking a Token

Tokens have no expiration date or policy. If you ever forget any of your tokens, think it may have been compromised or simply wish to change them regularly for increased security:

Login to Nuxeo Online Services,
Navigate to the My Tokens tab,
Revoke the appropriate token(s) using Revoke button next to each of them,
Generate new token(s) (see the Creating a Token section) and update any impacted configuration.