Great work, I noticed the “personal access token” feature being available on 2.37, and not supported on other lower versions. Do we have any way to generate API access tokens on the lower versions?
PATs is an interesting security feature we want to utilize in our integrations secenario
Hi @kose, glad you find the PAT feature useful!
Personal Access Tokens are only available in DHIS2 after 2.37. To authenticate an integration service in earlier versions of DHIS2, you can either use (1) basic authentication with username and password or (2) OAuth2. See the official docs for technical details.
(1) Basic authentication should be sufficient for server-to-server authentication only. It is imporant to send basic authentication credentials over HTTPS and to ensure that the username and password are never exposed to the public internet.
(2) OAuth2 allows you to generate an authentication token (and separate refresh token) which can also be used to authenticate with the DHIS2 API. There is some additional management required to handle expiration of the authentication token, using the refresh token to generate a new one. This is slightly more secure than basic authentication because you do not need to send the basic auth credentials with each request and you also have the ability to delete an OAuth2 client in the case it starts misbehaving.
However it still should not be used without TLS or over an untrusted network.
(3) Personal Access Tokens were added in 2.37 as a way to create long-lived access tokens with limited capabilities, specifically for the integration use-case. If it is possible to upgrade your system this would be the best solution.
In all of these scenarios it is stronly recommended that you create a dedicated DHIS2 user which is only used for these integrations - it is important to restrict the permissions granted to that user as much as possible.