Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

  •  
     
    story #10728 encrypt OpenID Connect server client secret key before storing them in the DB
Actions
Summary
Empty
encrypt OpenID Connect server client secret key before storing them in the DB
OpenID Connect provider client secret are still reasonably safe if the database server is compromised but not the Tuleap server.

As site admin, in the OpenID Connect plugin administration:

  • A warning is displayed on OpenID Connect servers whose client secret is stored (or has been stored) in cleartext

At OpenID Connect server creation or update only the encrypted client secret is stored and the cleartext client secret is nulled if existing.

When a OpenID Connect server is used, the password is decrypted before usage

 

It leverages the existing Tuleap cryptography API.

Empty
Empty
Status
Empty
Ready (stalled)
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Empty
Details
#10728
Thomas Gerbet (tgerbet)
2022-05-09 16:55
2017-10-04 13:26
10964

References
Artifact links
Empty
Referencing story #10728

Artifact Tracker v5

epic #11648 Multi-Factor Authentication
Display settings

Follow-ups