Base64EncodedSecretStore
Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route.
Secrets from Base64EncodedSecretStore never expire.
Use Base64EncodedSecretStore for testing or evaluation only, to store passwords locally. In production, use an alternative secret store. |
For a description of how secrets are managed, see About Secrets.
Properties
"secrets"
: map, required-
A list of one or more secret ID/string pairs:
{ "secrets": { "secret-id": "string", ... } }
Each pair has the form "secret-id": "string", where:
-
secret-id is the ID of a secret used in a route
-
string is the base64-encoded value of the secret
In the following example, Base64EncodedSecretStore configures two base64-encoded secrets:
{ "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "d2VsY29tZQ==", "crypto.header.key": "Y2hhbmdlaXQ=" } } }
In the following example, the values of the secrets are provided by a configuration token and a configuration expression, whose values are substituted when the route is loaded:
{ "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "&{secret.value|aGVsbG8=}", "crypto.header.key": "${readProperties('file.property')['b64.key.value']}" } } }
-
Log Level
To facilitate debugging secrets for the Base64EncodedSecretStore, in
logback.xml
add a logger defined by the fully qualified package name
of the Base64EncodedSecretStore. The following line in logback.xml
sets the log level to ALL
:
<logger name="org.forgerock.openig.secrets.Base64EncodedSecretStore" level="ALL">
Example
In the following example, an AmService acts on behalf of IG to authenticate with AM. IG uses the Base64EncodedSecretStore to retrieve the password for the AmService.
Before you start:
-
Prepare IG as described in the Getting Started.
-
Install and configure AM on http://openam.example.com:8088/openam, with the default configuration.
-
Set up AM
-
(From AM 6.5.x) Select Identities > demo, and set the demo user password to
Ch4ng31t
. -
(For AM 6.5.3 and later versions) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources :
-
http://openig.example.com:8080/*
-
http://openig.example.com:8080/*?*
-
-
Select Applications > Agents > Identity Gateway, add an agent with the following values:
-
Agent ID :
ig_agent
-
Password :
password
For AM 6.5.x and earlier versions, set up an agent as described in Set Up an IG Agent in AM 6.5 and Earlier.
-
-
-
Set up IG:
-
Add the following route to IG, to serve .css and other static resources for the sample application:
$HOME/.openig/config/routes/static-resources.json
appdata\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp-resources", "baseURI" : "http://app.example.com:8081", "condition": "${find(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" }
-
Add the following route to IG:
$HOME/.openig/config/routes/base64encodedsecret.json
appdata\OpenIG\config\routes\base64encodedsecret.json
{ "heap": [ { "name": "Base64EncodedSecretStore-1", "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.secret.id": "cGFzc3dvcmQ=" } } }, { "name": "AmService-1", "type": "AmService", "config": { "url": "http://openam.example.com:8088/openam", "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "Base64EncodedSecretStore-1", "version": "7.1", "notifications": { "enabled": true } } } ], "handler": { "type": "Chain", "config": { "filters": [ { "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } }, "condition": "${find(request.uri.path, '/home/base64encodedsecret')}", "baseURI": "http://app.example.com:8081" }
Notice the following features of the route:
-
The route matches requests to
/home/base64encodedsecret
. -
The agent password for AmService is provided by the Base64EncodedSecretStore in the heap.
-
The SingleSignOnFilter manages redirects to AM for authentication, using the IG agent in
AmService-1
.
-
-
-
Test the setup:
-
If you are logged in to AM, log out and clear any cookies.
-
Go to http://openig.example.com:8080/home/base64encodedsecret.
The SingleSignOnFilter redirects the request to AM for authentication.
-
Log in to AM as user
demo
, passwordCh4ng31t
.When you have authenticated, the SingleSignOnFilter passes the request to the sample app, which returns the profile page.
-
-