Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-76

oidc.secret value needs protection

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Won't Do
    • Neutral
    • None
    • 2.0
    • None
    • None

    Description

      It should be improved so the plain text value of the oidc.secret is not configured in a YAML file.

      authenticationService:
        path: /.magnolia/admincentral
        callbackUrl: http://localhost:8080/.auth
        groupMappings:
          /magnolia-sre:
            roles:
              - superuser
        pac4j:
          oidc.id: magnolia-sso
      
          oidc.secret: 2ff75b44-c7ef-4932-91c8-59e6ea5f35b6
      
          oidc.scope: openid profile email
          oidc.discoveryUri: https://<YOUR_OIDC_IDP_DOMAIN>/…/.well-known/openid-configuration
          oidc.preferredJwsAlgorithm: RS256
      

      Notes
      We should add another configuration option to set a keystore workspace path. Maybe something like:

      oidc.secret.keystore.path: /sso/oidc.secret
      


      Still allow the old configuration for backwards compatibility reasons. Users can select what level of security is necessary for the use case.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              mmichel Maxime Michel
              rgange Richard Gange
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Task DoD