Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use bearer token for cloud channel auth #1874

Open
1 task
cpkurotori opened this issue Aug 16, 2024 · 1 comment
Open
1 task

Use bearer token for cloud channel auth #1874

cpkurotori opened this issue Aug 16, 2024 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@cpkurotori
Copy link
Collaborator

What is the expected feature or enhancement?

On the Qiskit Runtime server side, when an API Key is provided in the Authorization header, the service goes to IAM to obtain a bearer token before making the authorization request.

This flow fails if the instance's account has Context Based Restrictions (CBR) enabled (example: IP allowlist).

The REST API does support Bearer token authentication (Authorization header with Bearer TOKEN) which should be able to bypass this.

Acceptance criteria

  • an account with CBR enabled should be able to run a job successfully from a device that is allowlisted

Notes

This could probably be implemented a number of ways:

  1. Provide optional setting to obtain bearer token using api key
  2. Convert auth flow for cloud channel to only use the bearer token flow (bearer token can be cached).

In my opinion option 2 is better because bearer tokens are a better security approach (if a bearer token gets compromised it automatically expires) and we won't need to maintain 2 different code paths (apikey and bearer token)

Please note that staging should be supported as well (endpoint is iam.test.cloud.ibm.com)

Example code block:

import requests

apikey = "replace with apikey"
resp = requests.post("https://iam.cloud.ibm.com/identity/token", data={"grant_type": "urn:ibm:params:oauth:grant-type:apikey", "apikey": apikey})
print(resp.status_code)
print(resp.json())
@cpkurotori cpkurotori added the enhancement New feature or request label Aug 16, 2024
@kt474 kt474 self-assigned this Jan 7, 2025
@kt474
Copy link
Member

kt474 commented Jan 13, 2025

I believe this is the same as #2070 - I'll handle both in the same PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants