Great read! I have a question though that is yet to be answered. Even if I encrypt the credentials in the source code (when azure is off the table), can’t a malevolent hacker steal the encrypted credentials and use them to access the underlying systems the exact same way as the source code does?
The Hacker can steal the encrypted credentials. But since you have it protected with a certificate using asymmetric encryption. Let him/her have some base64 string. Without the corresponding private key from the certificate it’s worthless.
Or did I not understand you correctly?
Actually I was thinking on the premises of the front end. The front end application needs to access a back end api which is protected, hence the need of credentials. If I encrypt the credentials how does it help me? The credentials must be accessible by the front end (think of an angular application), the front end must send them to the back end to get a jwt and I can’t think of why it makes any difference whether they are encrypted or not. Is there any solution to this problem? Thank you very much for your time and effort!
Alright! I just brought this up because in this case you will also need a client_id and a client_secret and finding the right place to store them in order for the oauth server to be able to issue a token is a nightmare!
Well ... if you use a client_id with secret, then this should be in the backend. Otherwise use the user grant flow or use both to have it (like in azure) validated as the intersection of user and application rights.
If you put the client_id and it’s secret into the web front end and use this as the only access restriction, you might as well use an API without authentication/ authorization.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great read! I have a question though that is yet to be answered. Even if I encrypt the credentials in the source code (when azure is off the table), can’t a malevolent hacker steal the encrypted credentials and use them to access the underlying systems the exact same way as the source code does?
The Hacker can steal the encrypted credentials. But since you have it protected with a certificate using asymmetric encryption. Let him/her have some base64 string. Without the corresponding private key from the certificate it’s worthless.
Or did I not understand you correctly?
Of course you need some useful key lengths... make them at least RSA4096 or 368 bit for elliptic curves.
Actually I was thinking on the premises of the front end. The front end application needs to access a back end api which is protected, hence the need of credentials. If I encrypt the credentials how does it help me? The credentials must be accessible by the front end (think of an angular application), the front end must send them to the back end to get a jwt and I can’t think of why it makes any difference whether they are encrypted or not. Is there any solution to this problem? Thank you very much for your time and effort!
Ahhh... In the front end scenario, there is OAuth2.0 to validate the user context and grant access. Then the backend(s) accepts that token.
But these kind of credentials are not the focus of the article.
It is intended for backends to keep your credentials out of code.
Alright! I just brought this up because in this case you will also need a client_id and a client_secret and finding the right place to store them in order for the oauth server to be able to issue a token is a nightmare!
Well ... if you use a client_id with secret, then this should be in the backend. Otherwise use the user grant flow or use both to have it (like in azure) validated as the intersection of user and application rights.
If you put the client_id and it’s secret into the web front end and use this as the only access restriction, you might as well use an API without authentication/ authorization.