Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parameterize client secret #347

Merged
merged 2 commits into from Jul 11, 2018

Conversation

Projects
None yet
3 participants
@c-w
Copy link
Contributor

commented Jul 10, 2018

This issue was found by @taupalosaurus. If a non-Google authentication provider is used, the client secret stored in the OKpy database will be different from this hard-coded value which causes the ok-client to ok-server communication to fail.

A work-around for this is to manually adjust the client secret in the ok-server database via the following command.

UPDATE client
SET client_secret='EWKtcCp5nICeYgVyCPypjs3aLORqQ3H'
WHERE client_id='ok-client';

However, a more long-term manageable fix is to parameterize the client secret and set it to the correct value for the authentication provider in each ok-client deployment.

Parameterize client secret
If a non-Google authentication provider is used, the client secret
stored in the OKpy database will be different from this hard-coded
value which causes the ok-client to ok-server communication to fail.

A work-around for this is to manually adjust the client secret in the
ok-server database via the following command.

```sql
UPDATE client
SET client_secret='EWKtcCp5nICeYgVyCPypjs3aLORqQ3H'
WHERE client_id='ok-client';
```

However, a more long-term manageable fix is to parameterize the client
secret and set it to the correct value for the authentication provider
in each ok-client deployment.

@c-w c-w requested a review from Sumukh Jul 10, 2018

@colinschoen
Copy link
Member

left a comment

LGTM

@Sumukh

Sumukh approved these changes Jul 10, 2018

Copy link
Member

left a comment

Suggested a comment to make it clearer but looks good

CLIENT_SECRET = 'EWKtcCp5nICeYgVyCPypjs3aLORqQ3H'
# However, for other authentication providers such as Azure Active Directory
# this might not be the case
CLIENT_SECRET = os.getenv('OK_CLIENT_SECRET',

This comment has been minimized.

Copy link
@Sumukh

Sumukh Jul 10, 2018

Member

Could you make clear that this is the secret for the ok-client app on the ok service. I think that was unclear before. People can find the secret value at example.com/admin/clients/ok-client?

This comment has been minimized.

Copy link
@c-w

c-w Jul 11, 2018

Author Contributor

Done in d3a614a.

@c-w c-w merged commit 667013c into master Jul 11, 2018

3 checks passed

Travis CI - Branch Build Passed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@c-w c-w deleted the enhancement/c-w/parameterize-client-secret branch Jul 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.