Base64EncodedSecretStore
Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route.
The secrets provider queries the Base64EncodedSecretStore for a named secret,
identified by the secret-id
in the "secret-id": "string"
pair. The
Base64EncodedSecretStore returns the matching secret.
The secrets provider builds the secret, checking that the secret’s constraints are met, and returns a unique secret. If the secret’s constraints are not met, the secrets provider cannot build the secret and the secret query fails.
Secrets from Base64EncodedSecretStore never expire.
Use Base64EncodedSecretStore for testing or evaluation only, to store passwords locally. In production, use an alternative secret store. |
For a description of how secrets are managed, see Secrets.
Properties
"secrets"
: map, required-
Map of one or more secret ID/string pairs:
{ "secrets": { "secret-id": "configuration expression<string>", ... } }
Each pair has the form "secret-id": "string", where:
-
secret-id is the ID of a secret used in a route
-
string is the base64-encoded value of the secret
In the following example, Base64EncodedSecretStore configures two base64-encoded secrets:
{ "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "d2VsY29tZQ==", "crypto.header.key": "Y2hhbmdlaXQ=" } } }
In the following example, the values of the secrets are provided by a configuration token and a configuration expression, whose values are substituted when the route is loaded:
{ "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "&{secret.value|aGVsbG8=}", "crypto.header.key": "${readProperties('file.property')['b64.key.value']}" } } }
-
Log level
To facilitate debugging secrets for the Base64EncodedSecretStore, in
logback.xml
add a logger defined by the fully qualified package name
of the Base64EncodedSecretStore. The following line in logback.xml
sets the log level to ALL
:
<logger name="org.forgerock.openig.secrets.Base64EncodedSecretStore" level="ALL">
Example
For an example that uses Base64EncodedSecretStore, see client-credentials.json
in
Using OAuth 2.0 client credentials.