[MGNLSSO-76] oidc.secret value needs protection Created: 18/Aug/21  Updated: 09/Oct/21  Resolved: 09/Oct/21

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: 2.0
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Richard Gange Assignee: Maxime Michel
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File keystore-path.png    
Issue Links:
Relates
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

It should be improved so the plain text value of the oidc.secret is not configured in a YAML file.

authenticationService:
  path: /.magnolia/admincentral
  callbackUrl: http://localhost:8080/.auth
  groupMappings:
    /magnolia-sre:
      roles:
        - superuser
  pac4j:
    oidc.id: magnolia-sso

    oidc.secret: 2ff75b44-c7ef-4932-91c8-59e6ea5f35b6

    oidc.scope: openid profile email
    oidc.discoveryUri: https://<YOUR_OIDC_IDP_DOMAIN>/…/.well-known/openid-configuration
    oidc.preferredJwsAlgorithm: RS256

Notes
We should add another configuration option to set a keystore workspace path. Maybe something like:

oidc.secret.keystore.path: /sso/oidc.secret


Still allow the old configuration for backwards compatibility reasons. Users can select what level of security is necessary for the use case.



 Comments   
Comment by Maxime Michel [ 25/Aug/21 ]

Workaround documented at: https://docs.magnolia-cms.com/product-docs/6.2/Modules/List-of-modules/SSO-module/Hiding-the-client-credentials-from-the-configuration-file.html

Generated at Mon Feb 12 10:50:53 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.