Base64EncodedSecretStore

Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route.

Secrets from Base64EncodedSecretStore never expire.

Use Base64EncodedSecretStore for testing or evaluation only, to store passwords locally. In production, use an alternative secret store.

For a description of how secrets are managed, see About Secrets.

Usage

{
  "name": string,
  "type": "Base64EncodedSecretStore",
  "config": {
    "secrets": map
  }
}

Properties

"secrets": map, required

A list of one or more secret ID/string pairs:

{
  "secrets": {
    "secret-id": "string",
    ...
  }
}

Each pair has the form "secret-id": "string", where:

  • secret-id is the ID of a secret used in a route

  • string is the base64-encoded value of the secret

In the following example, Base64EncodedSecretStore configures two base64-encoded secrets:

{
  "type": "Base64EncodedSecretStore",
  "config": {
    "secrets": {
      "agent.password": "d2VsY29tZQ==",
      "crypto.header.key": "Y2hhbmdlaXQ="
    }
  }
}

In the following example, the values of the secrets are provided by a configuration token and a configuration expression, whose values are substituted when the route is loaded:

{
  "type": "Base64EncodedSecretStore",
  "config": {
    "secrets": {
      "agent.password": "&{secret.value|aGVsbG8=}",
      "crypto.header.key": "${readProperties('file.property')['b64.key.value']}"
    }
  }
}

Log Level

To facilitate debugging secrets for the Base64EncodedSecretStore, in logback.xml add a logger defined by the fully qualified package name of the Base64EncodedSecretStore. The following line in logback.xml sets the log level to ALL:

<logger name="org.forgerock.openig.secrets.Base64EncodedSecretStore" level="ALL">

Example

In the following example, an AmService acts on behalf of IG to authenticate with AM. IG uses the Base64EncodedSecretStore to retrieve the password for the AmService.

Retrieve a Secret From a Route

Before you start:

  • Prepare IG as described in the Getting Started.

  • Install and configure AM on http://openam.example.com:8088/openam, with the default configuration.

    1. Set up AM

      1. (From AM 6.5.x) Select Identities > demo, and set the demo user password to Ch4ng31t.

      2. (For AM 6.5.3 and later versions) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources :

        • http://openig.example.com:8080/*

        • http://openig.example.com:8080/*?*

      3. Select Applications > Agents > Identity Gateway, add an agent with the following values:

    2. Set up IG:

      1. Add the following route to IG, to serve .css and other static resources for the sample application:

        • Linux

        • Windows

        $HOME/.openig/config/routes/static-resources.json
        appdata\OpenIG\config\routes\static-resources.json
        {
          "name" : "sampleapp-resources",
          "baseURI" : "http://app.example.com:8081",
          "condition": "${matches(request.uri.path,'^/css')}",
          "handler": "ReverseProxyHandler"
        }
      2. Add the following route to IG:

        • Linux

        • Windows

        $HOME/.openig/config/routes/base64encodedsecret.json
        appdata\OpenIG\config\routes\base64encodedsecret.json
        {
          "heap": [
            {
              "name": "Base64EncodedSecretStore-1",
              "type": "Base64EncodedSecretStore",
              "config":  {
                "secrets": {
                  "agent.secret.id": "cGFzc3dvcmQ="
                }
              }
            },
            {
              "name": "AmService-1",
              "type": "AmService",
              "config": {
                "url": "http://openam.example.com:8088/openam",
                "agent": {
                  "username": "ig_agent",
                  "passwordSecretId": "agent.secret.id"
                },
                "secretsProvider": "Base64EncodedSecretStore-1",
                "version": "7.1",
                "notifications": {
                  "enabled": true
                }
              }
            }
          ],
          "handler": {
            "type": "Chain",
            "config": {
              "filters": [
                {
                  "type": "SingleSignOnFilter",
                  "config": {
                    "amService": "AmService-1"
                  }
                }
              ],
              "handler": "ReverseProxyHandler"
            }
          },
          "condition": "${matches(request.uri.path, '/home/base64encodedsecret')}",
          "baseURI": "http://app.example.com:8081"
        }

        Notice the following features of the route:

        • The route matches requests to /home/base64encodedsecret.

        • The agent password for AmService is provided by the Base64EncodedSecretStore in the heap.

        • The SingleSignOnFilter manages redirects to AM for authentication, using the IG agent in AmService-1.

    3. Test the setup:

      1. If you are logged in to AM, log out and clear any cookies.

      2. Go to http://openig.example.com:8080/home/base64encodedsecret.

        The SingleSignOnFilter redirects the request to AM for authentication.

      3. Log in to AM as user demo, password Ch4ng31t.

        When you have authenticated, the SingleSignOnFilter passes the request to the sample app, which returns the profile page.