Hiding client credentials from the configuration file
In some projects, security requirements don’t allow for credentials to be stored in plain-text.
We don’t consider the threat created by this setup critical, because the credentials are never transmitted in the browser, but rather when Magnolia exchanges with the IDP.
In production, this occurs via https.
However, some tools or analysts may raise a red flag regarding this topic.
To avoid storing secrets in plain text, Magnolia supports environment variables in YAML definitions for YAML definitions. You can load your configuration config through a specific "yaml bridge" that supports the '!env' directive.
You can have different configurations in one or more environments. To configure:
-
Set the
magnolia.yaml.envsubstfeature flag (JVM option) totrue. -
Pass your
SSO_CLIENT_IDandSSO_CLIENT_SECRETenvironment variables in theconfig.yamlfile.config.yamlclients: oidc.id: !env ${SSO_CLIENT_ID} (1) oidc.secret: !env ${SSO_CLIENT_SECRET} (2) oidc.clientAuthenticationMethod: client_secret_basic oidc.scope: openid profile email oidc.discoveryUri: https://id-preview.magnolia-cloud.com/oauth2/aus1qwk5o26KsY7eW0x7/.well-known/openid-configuration oidc.preferredJwsAlgorithm: RS256 oidc.authorizationGenerators: groupsAuthorization ...1 The SSO_CLIENT_IDmust be defined as an environment variable.2 The SSO_CLIENT_SECRETmust be defined as an environment variable. -
Environment variables are created from your terminal or IDE. You then export the variable(s) like this:
export SSO_CLIENT_ID=... export SSO_CLIENT_SECRET=...