Allowing applications to create user tokens
All applications connected to Crowd can generate Crowd tokens for any user that can authenticate into that application. This can be useful, for example, for the remember me functionality as the app will not have to ask for credentials upon every login. For security reasons, by default, applications connected to Crowd are not allowed to create user tokens.
These tokens are not related to personal access tokens (PATs) that you might know from Jira or Confluence. If you'd like to create personal access tokens, you need to do it in each of these products separately, and not through Crowd. Learn more
To allow applications to create such tokens:
- In Crowd, go to Applications > <your_application_name> Options.
- Check Allow to generate user tokens.
There is a possibility for applications connected to Crowd to generate Crowd tokens for users without passing their passwords in a request.
Such token can later be used to impersonate user in other SSO version 1 applications if they have similar directory setup.
User tokens can be used to impersonate user in Crowd web application if Crowd application has similar directory setup.
For this reason, it is important to connect only trusted applications to Crowd. Additionally, it's recommended that you keep the Allow to generate user tokens setting disabled unless your application and setup clearly requires this setting to be turned on.