Is there a reason why i cant bootstrap Providers like i can most other things?

[TheToddmeister]

I tried to bootstrap adding github and goodle as 3rd party providers and this wasn't allowed as a Group for the bootstrap API-Key token?
Database migration error: ErrorResponse { timestamp: 1758306733, error: BadRequest, message: "Payload deserialization error: Error("unknown variant Providers, expected one of Blacklist, Clients, Events, Generic, Groups, Roles, Secrets, Sessions, Scopes, UserAttributes, Users, Pam", line: 22, column: 26)" }.
I know this isn't the biggest thing, but i always prefer to have my application setup laid down programmatically rather than througt interface.

Love Rauthy <3

[sebadob]

The only thing you can bootstrap is the default admin user and an API key, but I guess you mean adding things later on with that bootstrapped API key. The reason why you can do almost everything with them, apart from Auth Provider CURD (and some other things), is actually security.

Auth provider setup requires you to work on both sides, like create an "App" upstream, generate a secret, and copy it over to Rauthy. So, because it requires manual work (usually), it does not make much sense to do this via API. The other thing is that especially Auth providers are one of the most sensitive things. If an attacker hijacks an API Key or it simply leaks in some CI/CD logs for instance, the upstream provider page could be mocked and then the redirect URI changed on Rauthys side. If done well, even an admin would probably not recognize it right away and it would lead to account takeover of everyone using this provider. The last reason is, that upstream providers are usually one-time setup and are then never touched again.

If you really, really need to do it anyway, you could theoretically create a real admin session after bootstrap and provide the session cookie and CSRF token with the request instead of the API key. Most of the integration tests work that way as well. Only a real session can currently modify Auth Providers.

[TheToddmeister]

Good response.
I assumed it would be security, but i wanted a programmatic way of building everything i needed without admin input so i wanted to check. I ended up creating a temporary admin user that has a short lifetime and is removed after completing its tasks.

[TheToddmeister]

You were also correct in you assumption about bootstrapping.
I realise that that Rauthy only supports bootrapping the API key, but i wanted the api key to "bootstrap"/initialize the content of the rauthy database. My bad.
Am i wrong in assuming that the security issue is mostly solved by giving the API-key a very short lifetime?

[sebadob]

Sorry for the late response, I missed it somehow.

Am i wrong in assuming that the security issue is mostly solved by giving the API-key a very short lifetime?

If you bootstrap an API key, I would absolutely limit its lifetime to something like 30 minutes, or whatever time you need to finish your setup, yes.