You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/07/26 14:02:00 UTC

[jira] [Work logged] (KNOX-2534) Allow alias to be used in pac4j topology block

     [ https://issues.apache.org/jira/browse/KNOX-2534?focusedWorklogId=627767&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-627767 ]

ASF GitHub Bot logged work on KNOX-2534:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 26/Jul/21 14:01
            Start Date: 26/Jul/21 14:01
    Worklog Time Spent: 10m 
      Work Description: zeroflag opened a new pull request #473:
URL: https://github.com/apache/knox/pull/473


   ## What changes were proposed in this pull request?
   
   The patch makes possible to use an alias in pac4j provider config so that `oidc.secret` is no longer need to be hardcoded in the topology as plain text.
   
   
   ## How was this patch tested?
   
   Added an alias for oidc.secret in knoxsso.xml.
   
   ```
   <param>
     <name>oidc.secret</name>                  
     <value>${ALIAS=myOidcSecret}</value>
   </param>
   ```
   
   Created the alias with knoxcli.
   
   ```bash
   $ bin/knoxcli.sh create-alias myOidcSecret --value <my-secret> --cluster knoxsso
   ````
   
   Tested authentication with auth0.com.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 627767)
    Remaining Estimate: 0h
            Time Spent: 10m

> Allow alias to be used in pac4j topology block
> ----------------------------------------------
>
>                 Key: KNOX-2534
>                 URL: https://issues.apache.org/jira/browse/KNOX-2534
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxSSO
>            Reporter: Michael Boulter
>            Assignee: Attila Magyar
>            Priority: Minor
>         Attachments: knoxsso-oidc.xml
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> We currently use Knox to authenticate users with Microsoft via pac4j federation config. 
> We have an OIDC client secret (oidc.secret) stored in plaintext in the topology file but we'd like to obfuscate and not have the plaintext value in the topology XML.
>  
> This is because OAuth strongly recommends to have the "client secret" protected.
>  
> The alias service currently only seems to work for LDAP, it would be good if we could use it inside our pac4j block too.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)