Alternative choices

We could have used fully-packaged product such as JFrog or Gemfury but we chose not to. Why?

These web apps provide the service fully managed, however it seemed impossible to use a pair of credentials to authenticate the clients. For instance, Gemfury allows authentication only with tokens, which is problematic to us:

By using a pair of credentials username/password we make it explicitly clear that anyone who is NOT allowed to use the username is not expected to use the credentials pair.

Why do we care?

Let’s say a contractor at one of our customer (eg Pernod-Ricard) has had access to the credentials by looking into the Pernod Ricard’s key vault.

If he gets a single authentication token, it might think it’s OK for him to use on other projects (which is not). However, if it states that the authorized user is named pernod-ricard-org or someone@pernod-ricard the message is clear: only people at Pernod-Ricard are allowed to use these credentials.