Allow AccessTokens to be redeemed using a predictable URI

[fgiorgetti]

Describe the solution you'd like Today the URL defined by the access grant server, to redeem an AccessToken is defined based on the generated uid of the respective AccessGrant.

So users that need to set their skupper site definitions using GitOps cannot define their own AccessTokens beforehands, as the URI will only be defined once the AccessGrant is created.

The proposal here is to change that behavior and use a predictable URI that can be composed by the Namespace + the AccessGrant name. In example: /mygrant-at-west (to prevent clashes).

[nur-of]

This would help us automate the site linking process. We currently have to copy the generated URL every time we link a new site (multiple times a day). With this enhancement, we could leverage ArgoCD to automate the site linking process.

[CodeAdminDe]

Hey! Making the token redeemable via a predictable URI - e.g. using namespace and grant name - creates a big security risk, as it enables attackers to guess valid endpoints and attempt token misuse more easily. This approach undermines the secrecy expected of tokens.

A safer solution would be to automate your workflow in a way, that would allow receiving the token / URI directly from the skipper CRDs. This should be doable via something like preSync & Jobs to allow full GitOps compatibility without compromising security best practices. Tbh... I can't deliver a working sample solution for your use case, but I'm sure its possible without the need to weaken security.