search

dominik-th / matomo-plugin-LoginOIDC

external authentication services for matomo
https://plugins.matomo.org/LoginOIDC/
GNU General Public License v3.0
40 stars 29 forks source link

Plain text used in the database with OIDC clientID and secret #88

Closed ToniIltanen closed 1 year ago

ToniIltanen commented 1 year ago

Currently the loginOIDC clientId and clientSecret is saved as plain text in the database.

I suggest using MySQL/MariaDB's encrypt and decrypt functions instead, because saving oidc secrets as plain text could violate the projects information security policy. The salt for the functions could be read from ex. environment variable or from a separate json file allowing easy customization in the CD pipeline

dominik-th commented 1 year ago

Hi Toni! You don't have to store the OIDC client id or secret in the database, you can also make use of Matomos config.ini file Maybe you can even connect this way of configuring the plugin with the EnvironmentVariables plugin, but the description says it might write your config on disk, so I don't see any real benefit here

To set the values via environment variables just configure it like this:

[LoginOIDC]                                
clientId = ${MATOMO_OIDC_CLIENT_ID}
clientSecret = ${MATOMO_OIDC_CLIENT_SECRET}

see https://www.php.net/manual/en/function.parse-ini-file.php

ToniIltanen commented 1 year ago

Thanks! That solution makes it easier in the IaC-pipeline to auto-configure the plugin, because you can populate the ini -file even before Matomo or any database exists in the target environment.