You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If an invalid COOKIE_SECRET value is given, sso should provide guidance for how to generate a valid one rather than a cryptic error message. Bonus points for providing a separate sso-gen-secret binary that will Just Work!
Let's make it as easy as possible for users to generate good, secure secrets!
A bit more context
The error message sso gives for an invalid COOKIE_SECRET value takes this general form (for abcd as the secret value):
{"error":"Invalid configuration:\n cookie_secret must be 32 or 64 bytes to create an AES cipher but is 4 bytes. note: cookie secret was base64 decoded from \"abcd\"","level":"error","msg":"error validating opts","service":"sso-authenticator","time":"2018-08-25 00:15:04.82512"}
But we still get an error message if we try a 32 byte secret (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx):
{"error":"Invalid configuration:\n cookie_secret must be 32 or 64 bytes to create an AES cipher but is 24 bytes. note: cookie secret was base64 decoded from \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"","level":"error","msg":"error validating opts","service":"sso-authenticator","time":"2018-08-25 00:17:33.82512"}
Having dug into this a bit, I know that sso is trying to base64-decode the given secret value (that's why it reports a length of 24 bytes above), but, as I'll illustrate in a follow-up issue, it can be difficult to generate a valid secret even with this knowledge.
Working example
Here's one way that works, assuming python is available (note the use of urlsafe_b64encode, which seems to agree with the golang decoder used in sso):
TL;DR
If an invalid
COOKIE_SECRET
value is given, sso should provide guidance for how to generate a valid one rather than a cryptic error message. Bonus points for providing a separatesso-gen-secret
binary that will Just Work!Let's make it as easy as possible for users to generate good, secure secrets!
A bit more context
The error message sso gives for an invalid
COOKIE_SECRET
value takes this general form (forabcd
as the secret value):But we still get an error message if we try a 32 byte secret (
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
):Having dug into this a bit, I know that sso is trying to base64-decode the given secret value (that's why it reports a length of 24 bytes above), but, as I'll illustrate in a follow-up issue, it can be difficult to generate a valid secret even with this knowledge.
Working example
Here's one way that works, assuming
python
is available (note the use ofurlsafe_b64encode
, which seems to agree with the golang decoder used in sso):The text was updated successfully, but these errors were encountered: