-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating clients with predefined credentials #91
Comments
Some values are already possible to pass:
it makes sense to pass the password as well. The password should however not be set using |
Do you need this feature for |
But |
Please don't make it interactive |
if it's not interactive, the secret will be stored in bash history, |
Hm. I took a little time to research and stumbled upon SSH that does not allow to pipe passwords. As already mentioned, passing passwords to the CLI is a security risk. Read more on this:
My best guess right now is setting this through env vars:
What do you think @janekolszak ? |
Check out 9e4e627 - it would work like this:
|
Command line app has to flush stdin before asking for any security related data, so this option is out. The only option I see is to pass a configuration file with a list of clients to create. |
Isn't this the same? The file can also be read. .bash_history is at least always chmod 700 or owner-/group-read only |
In container environments secrets are usually set using environment variables. I believe that all PaaS (heroku, cloudfoundry, kubernetes...) don't log environment variables. Unless you think otherwise, I believe this is the right choice. |
You can set the right permissions for this file too. You can also remove it after your're done with creating clients. What if I need to create couple of clients? The configuration and env variable will be on your local laptop anyway. So I guess security isn't that important. Also this feature isn't for production, it's only for debugging and examples. I'd even allow passing the password via command line argument. |
You're right, it's more obvious if it's a file then a side effect (storing it to .bash_history). Thanks for your thoughts :) |
@janekolszak I have added this in 69a54e1:
please let me know if that's what you wanted |
What's the format of <path/to/file.json> ? |
The format is the one you send to the HTTP API as documented here |
Is there an updated link? The apiary one seems broken. |
It would be a nice feature to pass ID/secret pair to hydra clients create.
This is only for development of course. Right now I have to parse .hydra.yml to get the trusted client's credentials. It would be much easier to just have them predefined and hard-coded somewhere.
The text was updated successfully, but these errors were encountered: