Hiding client credentials from the configuration file

In some projects, security requirements don’t allow for credentials to be stored in plain-text.

We don’t consider the threat created by this setup critical, because the credentials are never transmitted in the browser, but rather when Magnolia exchanges with the IDP. In production, this occurs via https. However, some tools or analysts may raise a red flag regarding this topic.

To avoid storing secrets in plain text, Magnolia supports environment variables in YAML definitions for YAML definitions. You can load your configuration config through a specific "yaml bridge" that supports the '!env' directive.

You can have different configurations in one or more environments. To configure:

  1. Set the magnolia.yaml.envsubst feature flag (JVM option) to true.

  2. Pass your SSO_CLIENT_ID and SSO_CLIENT_SECRET environment variables in the config.yaml file.

    config.yaml
    clients:
  oidc.id: !env ${SSO_CLIENT_ID} (1)
  oidc.secret: !env ${SSO_CLIENT_SECRET} (2)
  oidc.clientAuthenticationMethod: client_secret_basic
  oidc.scope: openid profile email
  oidc.discoveryUri:  https://id-preview.magnolia-cloud.com/oauth2/aus1qwk5o26KsY7eW0x7/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: groupsAuthorization
  ...
    1 The SSO_CLIENT_ID must be defined as an environment variable.
    2 The SSO_CLIENT_SECRET must be defined as an environment variable.

  3. Environment variables are created from your terminal or IDE. You then export the variable(s) like this:

    export SSO_CLIENT_ID=...
export SSO_CLIENT_SECRET=...
Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the SSO module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules