Thanks! That’s a great idea, we’ll work on implementing it.
Are you thinking constants for every authorizer setting, or just the credential fields like
define( 'AUTHORIZER_GOOGLE_CLIENT_ID', 'asdf.apps.googleusercontent.com' );
It could also get messy in multisite environments that have different credentials on different subsites, e.g.
define( 'AUTHORIZER_BLOG_2_GOOGLE_CLIENT_SECRET', 'asdf' );
define( 'AUTHORIZER_BLOG_3_GOOGLE_CLIENT_SECRET', 'zxcv' );
You’re welcome! I think it would be useful for every place that needs to input credentials (not to store it in code).
As for multisite environment, I haven’t worked much with it, but I guess it could be something like:
define( 'AUTHORIZER_'.get_current_blog_id(), ['AUTHORIZER_GOOGLE_CLIENT_SECRET' => 'asdf', 'AUTHORIZER_AWS_SM_SECRET' => 'zxcv'] );
and later used as
constant("AUTHORIZER_".get_current_blog_id())['AUTHORIZER_GOOGLE_CLIENT_SECRET'];
Cheers!
Aloha, just giving a status update, we missed getting this one into v3.6.0 due out shortly (security release), but will be tackling this one for the next minor release. Stay tuned!
Aloha, we added filters and constants for the Google Client Secret and the OAuth2 Client Secret: https://github.com/uhm-coe/authorizer/commit/d547d01224ce60eb38a65c823952695c76190fbe
This will be released with the next version (or you can clone from github to get it now if you want to test).
You should be able to use the authorizer_google_client_secret filter to run your custom code that connects to AWS Secrets Manager to fetch the client secret (apologies, we don’t have any infrastructure running on AWS to test this).
In your custom code you should be able to use composer to include the AWS SDK for PHP: https://packagist.org/packages/aws/aws-sdk-php
And then your filter would look something like:
add_filter( 'authorizer_google_client_secret', function ( $google_client_secret ) {
// Fetch value from AWS Secrets Manager here.
return $google_client_secret;
} );
This looks like an example of how to fetch secrets from AWS: https://stackoverflow.com/questions/61461264/aws-how-to-get-php-on-an-ec2-instance-to-read-a-secrets-manager-secret
-
This reply was modified 3 years, 2 months ago by
Paul Ryan.
-
This reply was modified 3 years, 2 months ago by Paul Ryan.
Aloha, Paul! Wow! Very nice!! Thank you for for your hard work and dedication. We’ll test it the first chance we get and get back to you.
Hey Paul! 🙂
Sorry it took some time to get back to you, you know how it is with business priority and stuff.
So, apparently this feature doesn’t support LDAP yet, which we use. I was wondering if at some point you could add:
AUTHORIZER_LDAP_USER
AUTHORIZER_LDAP_PASSWORD
Maybe around class-authentication.php:1100?
if ( defined( 'AUTHORIZER_LDAP_USER' ) ) {
$auth_settings['ldap_user'] = \AUTHORIZER_LDAP_USER;
}
if ( defined( 'AUTHORIZER_LDAP_PASSWORD' ) ) {
$auth_settings['ldap_password'] = \AUTHORIZER_LDAP_PASSWORD;
}
At the moment we use option_auth_settings filter to modify $params[‘ldap_user’] and $params[‘ldap_password’], which is not too sustainable. That would really help.
Thank you!
Added those constants (and optional filters) here:
https://github.com/uhm-coe/authorizer/commit/ca2b5e0b20e5efec0521b58546408677084db97a
This will be included in the next release, due out shortly!
Aloha, version 3.6.2 is released with these changes, let us know if you run into any issues!
