Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd: Support client secret encryption at stdout #1317

Closed
sawadashota opened this issue Mar 16, 2019 · 0 comments
Closed

cmd: Support client secret encryption at stdout #1317

sawadashota opened this issue Mar 16, 2019 · 0 comments

Comments

@sawadashota
Copy link
Contributor

Is your feature request related to a problem? Please describe.

When creating clients via command, hydra output client id and secret to stdout.
But in some cases, this is inconvenience.

  1. When a person who executes hydra clients create might not be client application developer, he/she should not get to know client secret.
  2. When logging stdout for docker container, I'm nervous to execute command hydra clients create not to log.

Describe the solution you'd like

Add option of client secret encryption to hydra clients create using PGP key.

A good sample is here.
Terraform AWS Provider provides option to encrypt IAM User's password.
https://www.terraform.io/docs/providers/aws/r/iam_user_login_profile.html

To apply this, command line interface will be following

  • hydra clients create --pgp-key=<base64 encoded PGP encryption key> ...
  • hydra clients create --pgp-key-url=<PGP encryption key URL> ...
  • hydra clients create --keybase=<Keybase username> ...

Then stdout will be like following

OAuth 2.0 Client ID: 15af00e5-6485-4f4b-bca7-713fc4868ff0
OAuth 2.0 Client Secret: wcFMA7nE0EzOyuXVARAADx8vv/Tbv37I75nTRxUMEIr7IGJtYLMjA7bO4KY+CHA+kWr7M/K3dzfSwS4n8AqjMmdDPGycBFs5QQw+5THN5TQThTIt5Wbu8SAFiFoI5Fu6ispckui4TMNq3y9QnqeD+xpBj3WAYvKomnGvV+WepUZMB6J7WNqYcSk8cKvg1WgKZgm18c7zpI9AyYDOb8gtAvBFzUc2b6SBocz3r92zj+EFjF6RaetV0LZAVqfcZjdDcr7K10GKC6SMt7uYBs8oKQ0SJhA7HyScSd7MMhtJIp+uHgjSYXPQhrukF0G62vWv1nabzlh1qqkNOKcaQFuaj17YW9h5ArldTtAho8T5IJXrMHoAaPUN7zPkt3ElfMbgIJM8hdQwnBXw+WqdczdqdjXzAfB2cGQBhOTXAUZ5Y8IAo0bAM72sqc05dEoJoPz1cdO676iMAqhiijKZ7vHvENZxXiFX9MNoAv22ICAa7avACpYsU48aucOuSbZtkz8WltOLQ457NkHimd0bHtwvW36CqkltPNHgPg4C2mJR1226nwreDajua7vTq62p/qCVE366BeOAdPu2A664APG/qiZwKa0YA7FXDREo/aJ0ryIdjGU3H9Wne6dgi+EWy5ZkZe2rzzTJbPPGc3GvVGrHPiPXfCvDLDy93LDP5QL0KdiyYNG7t+J6mLCDLtlT8VDS4AHkUbb6kRQHt3SAZjDgb08IjuHsK+Ak4NfhJoPg6OKbFgVJ4J7iPk3BSOBG5JFfC15xOpnR2Ht1L8MMY+/iIOMPdeHfMAA=

To decrypt this, private key holder executes base64 decode and PGP decrypt.
Following is an example for keybase.

$ echo ${client_secret} | base64 --decode | keybase pgp decrypt
# raw password here
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sawadashota