Open anonymouse64 opened 5 years ago
tingyuz
commented
5 years ago Currently we have most information output as Info level in the log for debugging purpose, and this indeed could be a security concern. Switching them to debug level or export the token into a file on the file system still expose potential security threat. Utilizing secret store service could be a good idea, and we will explore the approach in the next release.
anonymouse64
commented
5 years ago While I agree that putting the token onto a file exposes a security threat, in some circumstances it's an acceptable compromise. I think it should be at least be configurable to either use the security secret store or use a file. For reference, the kong token is also still saved as a file, so saving the oauth token to a file isn't any less secure than the general case where we don't have hardware root of trust.
tingyuz
commented
5 years ago one approach is to write the token into a file as well as print out on console. I would propose to write to a file "accessToken.json" that includes user name and token in the current directory. The format will be something like:
{ "User": "tom", "Token": "yIPD6phz1zhFiF7PwRa7gDV4GP0YVSAe" }
tingyuz
commented
5 years ago Fixed in #66. The token will be written to accessToken.json file.
anonymouse64
commented
5 years ago @tingyuz please do not close issues until the issue is actually merged and fixed in master, i.e. your linked PR may eventually resolve the issue but it is not yet resolved because that PR hasn't been merged.
tingyuz
commented
5 years ago ok reopen the issue to track.
Currently the only place that the OAuth bearer token is output when generated by edgexproxy is in the log using an
LoggingClient.Infocall. This has 2 problems: