Closed ToniIltanen closed 1 year ago
Hi Toni!
You don't have to store the OIDC client id or secret in the database, you can also make use of Matomos config.ini file
Maybe you can even connect this way of configuring the plugin with the EnvironmentVariables plugin, but the description says it might write your config on disk, so I don't see any real benefit here
To set the values via environment variables just configure it like this:
[LoginOIDC]
clientId = ${MATOMO_OIDC_CLIENT_ID}
clientSecret = ${MATOMO_OIDC_CLIENT_SECRET}
see https://www.php.net/manual/en/function.parse-ini-file.php
Thanks! That solution makes it easier in the IaC-pipeline to auto-configure the plugin, because you can populate the ini -file even before Matomo or any database exists in the target environment.
Currently the loginOIDC clientId and clientSecret is saved as plain text in the database.
I suggest using MySQL/MariaDB's encrypt and decrypt functions instead, because saving oidc secrets as plain text could violate the projects information security policy. The salt for the functions could be read from ex. environment variable or from a separate json file allowing easy customization in the CD pipeline