[API] Prompt user when logging in to a client for the first time.
Background: A third party web service can use a link or redirect to send a user's browser through the login process, which culminates in the third party receiving an API token. This facilitates user-deployed applications against production API services, but it also gives a malicious third party an opportunity to trick a user into sending the user's API key to the third party.
When user A arrives at API server's login process with a
return_to URL that is not already trusted by this user, the user should be prompted to understand and accept this situation before continuing. (The user should have the option to remember this decision for next time.)
The API admin should be able to configure a whitelist in
services/api/config/application.yml. This could default to
The user-managed whitelist can be stored in the user's
<tetron> tomclegg: so OAuth does require an secret client token
<tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server.
<tetron> tomclegg: API server uses OAuth with the SSO server
<tetron> tomclegg: so that's probably a weak link