Studio

Token Management

Updated: March 5, 2020

As a commitment to an always improved security, Nuxeo Online Services delegates authentication to Okta. This allows us to secure it in an advanced way, and provide additional security options.

The counterpart is that whenever using commands in our clients and APIs that require authentication, your password can't be used. Nuxeo Online Services needs an alternative way for you to authenticate: that's when you should use a token.

Future Change
Tokens will become the mandatory way to authenticate for all our tools and APIs. We strongly recommend doing the switch as soon as possible to prevent any breakage in the future.

What is a Token

A token is a randomly generated string that can be used as a replacement for your password when authenticating to our services. It is meant to be used as a replacement for your password in all places where you would need to write down your password, but would rather avoid to disclose it: for instance in configuration files.

When to Use a Token

Tokens need to be used as a replacement for your password in Nuxeo Online Services APIs and our command line tools, whenever you need to authenticate. Some examples:

For more details on when to use the token, see the token usage section in this page.

Tokens are only used for command line tools and APIs. You still need to use your password as usual when you log in to Nuxeo Online Services in your browser, for instance when accessing Nuxeo Studio.

Creating a Token

To generate a token:

  1. Login to Nuxeo Online Services,
  2. Visit the My Tokens tab,
  3. Create your token using the corresponding button and provide a clear name for it (ex: "CI Chain"). The name has no impact; it is only meant for you to remember where / how you plan to use it, that's very important in case you need to revoke it later.

Your token will only be shown once; be sure to save it in a secure place, for instance a password management tool.

We recommend using a different token for every tool or service you plan to use: this lessens the impact if you need to revoke it at some point.

Using your Tokens

Using your token is exactly the same as using a password. Enter it when prompted, or store it in your configuration when using automated tools. Some examples can be found below:

Nuxeoctl

When using a command requiring a password, nuxeoctl prompts you for your token. Example:

./nuxeoctl register
Username: [enter your NOS username]
Please enter your token: [enter your token here instead of your password]

Nuxeo CLI

Nuxeo CLI prompts for your token when needed. Example:

[email protected]:~/my-java-project$ nuxeo studio

dxxxxxxxxxxc    oxxo       lxxx lkkl       ;kkk
dxxxxxxxxxxxd;  oxxo       lxxx lkkkx:.  ,dkkkx
dxxc       lxxo oxxo       lxxx  "okkkkokkkkd,
dxxc       lxxo oxxo       lxxx    .dkkkkkk.                  Welcome to
dxxc       lxxo oxxo       lxxx   ,dkkkkkkkk,                     Nuxeo CLI
dxxc       lxxo "oxxcccccccdxxx ,kkkkx" "okkkk,
loo;       :ooc   "cooooooooool xkko       ckko

:cc,       ;cc;                 oxxxxxxxxxxxxxo
dxxc       lxxo                 oxxxxxxxxxxxxxo
dxxc       lxxo                 oxxo           
dxxc       lxxo                 oxxxxxxxxxxxxxo
dxxc       lxxo                 oxxo           
"cxxoooooooxxxo                 oxxxxxxxxxxxxxo
   xoooooooxxxo                 oxxxxxxxxxxxxxo

lkkl       ;kkk oxxxxxxxxxxxxxo xooooooooooo,  
lkkkx:.  ,dkkkx oxxxxxxxxxxxxxo lxxxxxxxxxxxxb;
 "okkkkokkkkd,  oxxo            lxxd       :xxx
   .dkkkkkk.    oxxxxxxxxxxxxxo lxxd       :xxx
  ,dkkkkkkkk,   oxxo            cxxd       :xxx
,kkkkx" "okkkk, oxxxxxxxxxxxxxo  "oxxxxxxxxxxxx
xkko       ckko oxxxxxxxxxxxxxo    :xxxxxxxxxxx


     info You are going to link a Studio project to this project.
? NOS Username: [enter your NOS username]
? NOS Token: [input is hidden] [enter your token here instead of your password]

Maven

Your token needs to be stored in your .m2/settings.xml file, where you would usually put your password. Details can be found in our Maven configuration documentation.

Studio Designer Git Access

As a prerequisite, a Git client should be installed on your computer.

Once logged in to Nuxeo Online Services:

  1. Generate a personal access token in the My Tokens tab if you don't have one yet. It will be requested as a password to clone the project.
  2. Visit the My Applications tab
  3. Copy the Git URL to clone your project
  4. On your computer, clone your project using your Git client (typically git clone [project URL]). When prompted, use your Nuxeo Online Services username and your personal access token.

To avoid having to type your token's content repeatedly, we recommend storing it using Git's standard credentials mechanisms.

Security management
If your computer is compromised or stolen, then it is possible to revoke the token access directly from Nuxeo Online Services: Your password remains safe and no one can use the token to launch commands anymore.

Check our Nuxeo Studio Designer Git access documentation for more details.

Nuxeo Online Services REST API

When triggering a Studio project release through the Nuxeo Online Services REST API, use your Nuxeo Online Services username replace your password with a token.

Nexus

In your Nexus configuration, use your Nuxeo Online Services username and replace your Nuxeo Online Services password with your token.

Other Tools

Any other tool behaves the same as above: use your Nuxeo Online Services username and replace your Nuxeo Online Services password with your token.

Revoking a Token

Tokens have no expiration date or policy. If you ever forget your token, think it may have been compromised or simply wish to change them regularly for increased security:

  1. Login to Nuxeo Online Services,
  2. Visit the My Tokens tab,
  3. Revoke the appropriate token(s),
  4. Generate new token(s) and update any impacted configuration.

We'd love to hear your thoughts!

All fields required