Hiding client credentials from the configuration file
In some projects, the security requirements do not allow for credentials to be stored in plain-text
.
We do not consider the threat created by this setup critical, because the credentials are never transmitted in the browser, but rather when Magnolia exchanges with the IDP. In production, this occurs via https
.
However, some tools or analysts may raise this a red flag regarding this topic.
Magnolia does support environment variables in YAML definitions, but, unfortunately, only for YAML definitions, not for YAML decorators, as is the case here. Future versions of Magnolia will implement configuration via MicroProfile, which will make such scenarios possible. |
Workaround instructions
We suggest that you use a workaround that can be seen in the module’s integration tests, where we use environment variables that are inserted with envsubst
.
The config file is no longer a YAML file, but a template (.tpl
) file, which we then render.
-
Pass your
SSO_CLIENT_ID
andSSO_CLIENT_SECRET
environment variables in theconfig.yaml.tpl
file.config.yaml.tplauthenticationService: ... pac4j: oidc.id: ${SSO_CLIENT_ID} (1) oidc.secret: ${SSO_CLIENT_SECRET} (2) ...
1 The SSO_CLIENT_ID
must be defined as an environment variable.2 The SSO_CLIENT_SECRET
must be defined as an environment variable. -
Export the environment variables to the proper
config.yaml
file.export SSO_CLIENT_ID=... export SSO_CLIENT_SECRET=... envsubst < config.yaml.tpl > config.yaml
You can also do this via a Docker intermediate layer. |