• Resolved svyatoslavnetrunner

    (@svyatoslavnetrunner)


    Hi,

    Your plugin is absolutely brilliant! I really enjoyed your coding style too. It seems as if you’ve anticipated every possible use case, which is extraordinary.

    I have one question though. Suppose I want to store credentials for external services in some secure location, such as AWS Secrets Manager. Is there a way to override these setting using wp-config.php constants?

    Thank you!

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Paul Ryan

    (@figureone)

    Thanks! That’s a great idea, we’ll work on implementing it.

    Are you thinking constants for every authorizer setting, or just the credential fields like
    define( 'AUTHORIZER_GOOGLE_CLIENT_ID', 'asdf.apps.googleusercontent.com' );

    It could also get messy in multisite environments that have different credentials on different subsites, e.g.

    define( 'AUTHORIZER_BLOG_2_GOOGLE_CLIENT_SECRET', 'asdf' );
    define( 'AUTHORIZER_BLOG_3_GOOGLE_CLIENT_SECRET', 'zxcv' );
    Thread Starter svyatoslavnetrunner

    (@svyatoslavnetrunner)

    You’re welcome! I think it would be useful for every place that needs to input credentials (not to store it in code).

    As for multisite environment, I haven’t worked much with it, but I guess it could be something like:
    define( 'AUTHORIZER_'.get_current_blog_id(), ['AUTHORIZER_GOOGLE_CLIENT_SECRET' => 'asdf', 'AUTHORIZER_AWS_SM_SECRET' => 'zxcv'] );
    and later used as
    constant("AUTHORIZER_".get_current_blog_id())['AUTHORIZER_GOOGLE_CLIENT_SECRET'];

    Cheers!

    Plugin Author Paul Ryan

    (@figureone)

    Aloha, just giving a status update, we missed getting this one into v3.6.0 due out shortly (security release), but will be tackling this one for the next minor release. Stay tuned!

    Plugin Author Paul Ryan

    (@figureone)

    Aloha, we added filters and constants for the Google Client Secret and the OAuth2 Client Secret: https://github.com/uhm-coe/authorizer/commit/d547d01224ce60eb38a65c823952695c76190fbe

    This will be released with the next version (or you can clone from github to get it now if you want to test).

    You should be able to use the authorizer_google_client_secret filter to run your custom code that connects to AWS Secrets Manager to fetch the client secret (apologies, we don’t have any infrastructure running on AWS to test this).

    In your custom code you should be able to use composer to include the AWS SDK for PHP: https://packagist.org/packages/aws/aws-sdk-php

    And then your filter would look something like:

    add_filter( 'authorizer_google_client_secret', function ( $google_client_secret ) { 
      // Fetch value from AWS Secrets Manager here. 
    
      return $google_client_secret; 
    } );

    This looks like an example of how to fetch secrets from AWS: https://stackoverflow.com/questions/61461264/aws-how-to-get-php-on-an-ec2-instance-to-read-a-secrets-manager-secret

    • This reply was modified 1 year, 2 months ago by Paul Ryan.
    • This reply was modified 1 year, 2 months ago by Paul Ryan.
    Thread Starter svyatoslavnetrunner

    (@svyatoslavnetrunner)

    Aloha, Paul! Wow! Very nice!! Thank you for for your hard work and dedication. We’ll test it the first chance we get and get back to you.

    Thread Starter svyatoslavnetrunner

    (@svyatoslavnetrunner)

    Hey Paul! 🙂

    Sorry it took some time to get back to you, you know how it is with business priority and stuff.

    So, apparently this feature doesn’t support LDAP yet, which we use. I was wondering if at some point you could add:

    AUTHORIZER_LDAP_USER
    AUTHORIZER_LDAP_PASSWORD

    Maybe around class-authentication.php:1100?

                if ( defined( 'AUTHORIZER_LDAP_USER' ) ) {
                    $auth_settings['ldap_user'] = \AUTHORIZER_LDAP_USER;
                }
                if ( defined( 'AUTHORIZER_LDAP_PASSWORD' ) ) {
                    $auth_settings['ldap_password'] = \AUTHORIZER_LDAP_PASSWORD;
                }

    At the moment we use option_auth_settings filter to modify $params[‘ldap_user’] and $params[‘ldap_password’], which is not too sustainable. That would really help.

    Thank you!

    Plugin Author Paul Ryan

    (@figureone)

    Added those constants (and optional filters) here:

    https://github.com/uhm-coe/authorizer/commit/ca2b5e0b20e5efec0521b58546408677084db97a

    This will be included in the next release, due out shortly!

    Plugin Author Paul Ryan

    (@figureone)

    Aloha, version 3.6.2 is released with these changes, let us know if you run into any issues!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Storing external services credentials in AWS Secrets Manager’ is closed to new replies.