Accessing via ADS the vault for username/password 'secrets'

[Simon Thompson]

Hi All,

Has anyone used the the internal EDG password manager to manage secrets within ADS scripts? I am trying to manage OKTA client secrets so that can query/etc other servers within the environment, without having to hardcode them into functions.

Simon.

[Holger Knublauch]

Hi Simon,

if you use IO.http() to connect to a remote service, you should be able to use the argument securePasswordURL, which needs to start with one of the known URLs in secure storage. See the Script API panel's documentation or mouse-over IO.http() in the editor. Would this work for you or how else would you want to access the passwords?

Holger

--
You received this message because you are subscribed to the Google Groups "TopBraid Suite Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to topbraid-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/topbraid-users/ae585c92-5a4c-4cb3-93d6-814a6d2190f2n%40googlegroups.com.

[Simon Thompson]

Hi Holger,

I have tested this, and am not sure this will work, when working with OKTA tokens, you need to pass the client_id and client_secret in the body (data) of the request, so while I am using the IO.http() function in this case I don't actually need a username and password for the URL per se.

I would like to be able to retrieve the password (secret) and then pass it as data to the auth server to get a token.

Simon.

[Holger Knublauch]

The API does not offer a function to retrieve securely stored passwords as a string. This would IMHO violate the whole point of having secure storage, which is to encapsulate the password logic within Java code.

Holger

To view this discussion on the web visit https://groups.google.com/d/msgid/topbraid-users/b10d3b66-07db-4596-8aa9-5d89fe792480n%40googlegroups.com.

[Simon Thompson]

Hi Holger,

Yes this makes sense, just doesn't give us much room for supporting tokens over username/password pairs.

We will need to setup another separate secure mechanism to support this.

Simon.

[TopQuadrant Support]

Hi Simon,

I'm not sure if this helps, but if you think of the client_id as the user, the client_secret as the password, and the authorization server (Okta) as the URL, then I think the secure storage vault should do what you need.  Let's say your Okta server is surroundau.okta.com, and your client_id is simon.  You would request the password (client_secret) for si...@surroundau.okta.com from EDG, and then you could send the client_id and client_secret in a token request to surroundau.okta.com (the authorization server).  The authorization server responds with your token, and you use the token to access whatever service you need that requires it.  All of this must be done over https, of course.  Will something like this work?

-Ken

To view this discussion on the web visit https://groups.google.com/d/msgid/topbraid-users/cc8c5f22-1c81-4f90-9549-d8f410c588c8n%40googlegroups.com.