Add cookie auth to C8 REST API

[akeller]

Description

This PR added cookie auth instructions for the C8 REST API in 8.6 and 8.7.

#5145 changes this behavior to 8.8 and removes the need for cookie auth.

When should this change go live?

• This is a bug fix, security concern, or something that needs urgent release support.
• This is already available but undocumented and should be released within a week.
• This on a specific schedule and the assignee will coordinate a release with the DevEx team. (apply hold label or convert to draft PR)
• This is part of a scheduled alpha or minor. (apply alpha or minor label)
• There is no urgency with this change and can be released at any time.

PR Checklist

• My changes are for an already released minor and are in /versioned_docs directory.
• My changes are for the next minor and are in /docs directory (aka /next/).

• My changes require an Engineering review, and I've assigned the Engineering DRI or delegate.
• My changes require a technical writer review, and I've assigned @camunda/tech-writers as a reviewer.

[akeller]

This PR needs some page formatting love. I literally just copied in the instructions from another page.

We also need to decide if using a v2, alpha endpoint as an example is the best way to go. I'm a bit hesitant with this.

I would also like to test the C8Run + API myself before pushing these changes.

[conceptualshark]

I've updated this to include what I understand are required flags for cookie auth to work in all self-managed environments. We should be clear on if we want cookie auth to be readily available for use (and so include these flags), limit this section to say C8Run only/not intended for production, or only include it as part of C8Run (PR here).

[akeller]

@pepopowitz @tmetzke can you take this PR over?

[pepopowitz]

By "take it over," I'm inferring:

• add a PR description
• review the changes in a local environment to ensure their accuracy

Is that accurate?

There are also multiple comments in this thread about needing to make a decision if we want this -- I'm unsure if you're expecting me to make that decision.

[akeller]

By "take it over," I'm inferring:

• add a PR description
• review the changes in a local environment to ensure their accuracy

Is that accurate?

There are also multiple comments in this thread about needing to make a decision if we want this -- I'm unsure if you're expecting me to make that decision.

Yes to all of the above. Can you work with @tmetzke and other API stakeholders (maybe @aleksander-dytko too) to determine if this is something we want to have, a temporary work around, or something else? If we don't want or need it, let's close out this PR with some context.

[tmetzke]

I haven't been involved much in this discussion, to be honest, as this is mostly an Identity integration and single application issue. Not sure who the right person to review this is, maybe @romansmirnov and/or @Ben-Sheppard? I guess @felix-mueller has been involved from PM side and is covering for @aleksander-dytko.

[akeller]

@aleksander-dytko, can you please have a look at the scope of this PR. Does it make sense for this work to continue moving forward, and if so, with what alpha or minor?

[aleksander-dytko]

We could replace it with the topology endpoint - to use non-alpha endpoint

[aleksander-dytko]

@aleksander-dytko, can you please have a look at the scope of this PR. Does it make sense for this work to continue moving forward, and if so, with what alpha or minor?

The scope of this PR makes sense to me - we should help users auth simply. I also agree on the work that needs to be done:

• make sure it works in Self-Managed
• highlight the risk of using Cookie auth (@conceptualshark' comment)

We could start with this in 8.6, as the C8 API is officially released. With 8.8, we might need to revisit the auth page, due to identity changes (not sure about the details of what would need to be changed).

[akeller]

@aleksander-dytko, can you please have a look at the scope of this PR. Does it make sense for this work to continue moving forward, and if so, with what alpha or minor?

The scope of this PR makes sense to me - we should help users auth simply. I also agree on the work that needs to be done:

• make sure it works in Self-Managed
• highlight the risk of using Cookie auth (@conceptualshark' comment)

We could start with this in 8.6, as the C8 API is officially released. With 8.8, we might need to revisit the auth page, due to identity changes (not sure about the details of what would need to be changed).

@pepopowitz I think you have the info you need to move this forward. Are you comfortable pushing forward? I added you as an assignee.

[github-actions]

👋 🤖 🤔 Hello, @akeller! Did you make your changes in all the right places?

These files were changed only in docs/. You might want to duplicate these changes in versioned_docs/version-8.7/.

• docs/apis-tools/camunda-api-rest/camunda-api-rest-authentication.md

These files were changed only in versioned_docs/version-8.6/. You might want to duplicate these changes in versioned_docs/version-8.7/.

• versioned_docs/version-8.6/apis-tools/camunda-api-rest/camunda-api-rest-authentication.md

You may have done this intentionally, but we wanted to point it out in case you didn't. You can read more about the versioning within our docs in our documentation guidelines.

[akeller]

@aleksander-dytko I haven't heard any additional feedback on cookie auth with the C8 REST API. Can you help us understand the priority/urgency here? You mentioned it could start with 8.6, which means this is technically undocumented. Does this need to be ready to merge for 8.7 or 8.8? Can it continue to be ignored?

[tmetzke]

If we add this, it's only needed in 8.6 and 8.7. This is fixed in 8.8 and shouldn't be needed anymore (not entirely sure if it's even not possible anymore). The Identity re-arch team would know better as they are driving this.

For 8.6/8.7, is this only needed in C8 Run? If so, should we mention that? If this is in the text already, ignore this last part (I'm just on my mobile, came across this in my inbox, and just wanted to leave this quick assessment here).

[akeller]

For 8.6/8.7, is this only needed in C8 Run?

I believe so.

[tmetzke]

I would propose then:

• Let's add this to 8.6 and 8.7
• Let's point out that this is needed for C8 Run - I assume it's not needed for any other setup. Maybe we can also generalize this, e.g. if it's needed when (this is not verified) "basic auth is used in self managed and webapps are started in the application as well - for example, C8 Run brings this setup by default" or something like that.