On 7.10.2013 16:14, Bill Burke wrote:
I'd like to have it that when an application is created in the
admin
console, the admin can view the exact configuration files needed to
install in their application to enable security.
Unfortunately, this would involve populating application credentials in
the config file which would require exposing the application credentials
through a REST interface albeit secure REST interface.
Security is one thing and
another important thing is that application
credentials are actually saved in Picketlink DB (and I am doing
similarly for Mongo impl) in the form of salted hash and it's not
possible to restore original plain-text password from DB. Maybe we can
fill all things into configuration file except the password/totp and
this will be only thing which would need to be manually added into
configuration file by user himself? So generated config files could
possibly look like this:
{
"realm" : "demo",
"resource" : "customer-portal",
"realm-public-key" :
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"auth-url" :
"http://localhost:8080/auth-server/rest/realms/demo/tokens/login",
"code-url" :
"http://localhost:8080/auth-server/rest/realms/demo/tokens/access/codes",
"ssl-not-required" : true,
"credentials" : {
"password" : "<REPLACE WITH YOUR PASSWORD>"
}
}
I think that auto-generation of credentials through the Admin UI would
be also nice feature. After triggering auto-generation from admin UI,
password could be saved into underlying storage and displayed to user in
plain-text just once so that he can fill it into configuration file.
Marek
Do you think it is such a big security hole to allow for this? I've
been trying to keep the mantra to not expose credentials anywhere if
possible, yet this is a very nice security usability feature. We could
even have it that an application password, totp, and/or cert is auto
generated.
Thoughts?