- ABP Framework version: v8.0.2
- UI Type: Blazor Server
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): no
We have a customer who has high security requirements. User authentication runs via Microsoft (AzureAD / Entra). We have configured the external Microsoft provider, which works well.
However, the problem is that the customer does not accept that the ClientId & ClientSecret are stored in plain text in the database. The option of storing this information in appsettings.json is of course even worse and therefore not an alternative.
What options would I have to store this information securely?
Of course, it would also be great if you could implement this in a future version so that the information is stored in the AbpSettings in encrypted way, for example. But until then, I need another solution as quickly as possible.
A similar question concerns the credentials of a client that accesses via the HTTP API. As background info: The client runs as a Windows service. Here ClientId & ClientSecret are currently in the appsettings.json file.
I know that there are various approaches to solving this. I would be interested to know which you think is the best option so that even an admin user with access to this file cannot read this information?
Thanks, Adrian
8 Answer(s)
-
0
Hi,
Encrypted storage of
ClientSecretis reasonable. we will enhance it in the 8.2 version.Actually, ABP decrypts the
ClientSecretinternally but doesn't encrypt the storage, which is strange.
You can override the
AccountSettingsAppServiceclass[Dependency(ReplaceServices = true)] [ExposeServices(typeof(IAccountSettingsAppService))] public class MyAccountSettingsAppService : AccountSettingsAppService { public override async Task<AccountExternalProviderSettingsDto> GetExternalProviderAsync() { var settigns = await ExternalProviderSettingsHelper.GetAllAsync(); //TODO: Encrypt data return new AccountExternalProviderSettingsDto { Settings = settigns }; } public override async Task UpdateExternalProviderAsync(List<UpdateExternalProviderDto> input) { //TODO: Encrypt data If the data is not encrypted foreach (var setting in input) { await ExternalProviderSettingsHelper.SetAsync(new ExternalProviderSettings { Name = setting.Name, Enabled = setting.Enabled, Properties = setting.Properties, SecretProperties = setting.SecretProperties }); await CurrentUnitOfWork.SaveChangesAsync(); } } }You can consider using the string encryption system provided by ABP
https://docs.abp.io/en/abp/latest/String-Encryption
-
0
https://docs.abp.io/en/abp/latest/Settings#defining-settings
You can take existing settings and edit to encrypted storage
var externalProvidersSetting = context.GetOrNull(AccountSettingNames.ExternalProviders); externalProvidersSetting.IsEncrypted = true; -
0
You can take existing settings and edit to encrypted storage
var externalProvidersSetting = context.GetOrNull(AccountSettingNames.ExternalProviders); externalProvidersSetting.IsEncrypted = true;Thank you for this hint. I have to do this in MyAccountSettingsAppService, right?
-
1
Hi
You can modify existing settings definitions in the
SettingDefinitionProvider
-
0
This question has been automatically marked as stale because it has not had recent activity.
-
0
Hi
You can modify existing settings definitions in the
SettingDefinitionProviderThis does not work like this...
externalProvidersis null.Abp.Account.ExternalProvideris not in the list.These are the available setting definitions:
-
1
Hi,
Sorry for that,
Please try to add the
Volo.Abp.Account.Pro.Shared.Applicationto theDomainproject...... typeof(AbpAccountSharedApplicationModule) )] public class ....DomainModule : AbpModule
-
0
It works. Thank you very much @liangshiwei!
