Hiding client credentials from the configuration file

In some projects, the security requirements do not allow for credentials to be stored in plain-text.

We do not consider the threat created by this setup critical, because the credentials are never transmitted in the browser, but rather when Magnolia exchanges with the IDP. In production, this occurs via https.

However, some tools or analysts may raise this a red flag regarding this topic.

Magnolia does support environment variables in YAML definitions, but, unfortunately, only for YAML definitions, not for YAML decorators, as is the case here.

Future versions of Magnolia will implement configuration via MicroProfile, which will make such scenarios possible.

Workaround instructions

We suggest that you use a workaround that can be seen in the module’s integration tests, where we use environment variables that are inserted with envsubst.

The config file is no longer a YAML file, but a template (.tpl) file, which we then render.

  1. Pass your SSO_CLIENT_ID and SSO_CLIENT_SECRET environment variables in the config.yaml.tpl file.

    config.yaml.tpl
    clients:
      oidc.id: ${SSO_CLIENT_ID} (1)
      oidc.secret: ${SSO_CLIENT_SECRET} (2)
      oidc.scope: openid profile email
      oidc.discoveryUri:  https://id-preview.magnolia-cloud.com/oauth2/aus1qwk5o26KsY7eW0x7/.well-known/openid-configuration
      oidc.preferredJwsAlgorithm: RS256
      oidc.authorizationGenerators: groupsAuthorization
      ...
    1 The SSO_CLIENT_ID must be defined as an environment variable.
    2 The SSO_CLIENT_SECRET must be defined as an environment variable.
  2. Export the environment variables to the proper config.yaml file.

    export SSO_CLIENT_ID=...
    export SSO_CLIENT_SECRET=...
    envsubst < config.yaml.tpl > config.yaml
You can also do this via a Docker intermediate layer.
Feedback