Hiding client credentials from the configuration file
In some projects, security requirements don’t allow for credentials to be stored in plain-text
.
We don’t consider the threat created by this setup critical, because the credentials are never transmitted in the browser, but rather when Magnolia exchanges with the IDP.
In production, this occurs via https
.
However, some tools or analysts may raise a red flag regarding this topic.
To avoid storing secrets in plain text, Magnolia supports environment variables in YAML definitions for YAML definitions. You can load your configuration config through a specific "yaml bridge" that supports the '!env' directive.
You can have different configurations in one or more environments. To configure:
-
Set the
magnolia.yaml.envsubst
feature flag (JVM option) totrue
. -
Pass your
SSO_CLIENT_ID
andSSO_CLIENT_SECRET
environment variables in theconfig.yaml
file.config.yamlclients: oidc.id: !env ${SSO_CLIENT_ID} (1) oidc.secret: !env ${SSO_CLIENT_SECRET} (2) oidc.clientAuthenticationMethod: client_secret_basic oidc.scope: openid profile email oidc.discoveryUri: https://id-preview.magnolia-cloud.com/oauth2/aus1qwk5o26KsY7eW0x7/.well-known/openid-configuration oidc.preferredJwsAlgorithm: RS256 oidc.authorizationGenerators: groupsAuthorization ...
1 The SSO_CLIENT_ID
must be defined as an environment variable.2 The SSO_CLIENT_SECRET
must be defined as an environment variable. -
Environment variables are created from your terminal or IDE. You then export the variable(s) like this:
export SSO_CLIENT_ID=... export SSO_CLIENT_SECRET=...