Encrypt secrets in database #33
Conversation
| $alias = $this->alias; | ||
| if (isset($this->data[$alias]['client_secret'])) { | ||
| $this->data[$alias]['client_secret'] = OAuthUtility::secure($this->data[$alias]['client_secret']); | ||
| } | ||
| return true; |
There was a problem hiding this comment.
Above chunk actually depends on #34
|
sigh needs more work and testing |
|
I really like this changeset
|
|
I've continued working on this and making more changes here. So far, I come to the following conclusion:
We don't have test yet, so I'm continually rebasing my branch to tests it against my
There are two scenarios that I can think of: beforeFind() and afterFind(). public function beforeFind($queryData) {
if (isset($queryData['conditions']['access_token'])) {
$queryData['conditions']['client_secret'] = OAuthUtilty::hash($....['access_token'])
}
return $query;
}But I'm not to sure of automatically decrypting client_secret in Anyway, I hope to an update to this pull this afternoon. |
Currently, this class implements the shortcut for [en|de]cryption methods. In the future, this class would be used for the oauth-php interface implementations.
|
This depends on the fix-client-secret PR. The actual diff is: ca91a4a...1913409 The reroll is backward incompatible and contains the following changes:
Ideally, access_token should also be encrypted. But we'll need to encrypt with with fixed iv which is not good practice afaik. With auto-generated iv, it's difficult to retrieve access_token because the encrypted value will be different each time. Since, we're only encrypted Client.client_secret, I didn't make it a behavior. |
Easier to test/list clients records
Very good point but I think we can get round it as we would only decrypt if it was included in the find fields, so the most common code path that would use it is getClientCredentials, and here it doesn't ask for client secret. Hence, afterFind would be more like: public function afterFind($results, $primary = false) {
foreach ($results as $key => $val) {
if (isset($val[$this->alias]['client_secret'])) {
$results[$key][$this->alias]['client_secret'] = OAuthUtilty::decrypt($val[$this->alias]['client_secret']);
}
}
return $results;
}
The iv is derived from the key (the salt in the current implementation). The IV does not need to be secret, but does need to be unique (as Cake uses the CBC block cipher) so to get round this, we could either add an auto increment field to the clients table and use that zero padded (e.g. 000000000000001) or we could use something random (and again store it in the table) or use the client_id, although I suspect people override this and the default implementation isn't even very random. My preference would be the zero padded id, but this does add a level of complexity. |
This has been changed recently. The IV will be automatically created using If we want to pursue access tokens encryption, we would need to supply our own encrypt/decrypt methods internally in |
|
Why can't we just use Security::rijndael with the random iv? And, i'm confused, a previous comment outlines the following behaviours:
But this diff only covers client_secret encryption? |
Since using random IV will cause encrypted value of public function getAccessToken($oauth_token) {
$accessToken = $this->AccessToken->find('first', array(
'conditions' => array('oauth_token' => $oauth_token),
'recursive' => -1,
));
if ($accessToken) {
return $accessToken['AccessToken'];
}
return null;
}We will need to know the
Yes, The hashing changes is backward compatible and has been merged in ca91a4a. |
The access token is hashed, not encrypted? This would be true for getClientCredentials, however we could modify the implementation to get the client by id, decrypt the secret and check it matches? |
Yes. At the time I made this PR, it's only hashed. This particular PR enable encryption of
I'm not very familiar with OAuth2 protocol, but my understanding is that a request only need either That's basically what I'm having problem with. If this is allowed by the spec, I can certainly adjust it so that we can encrypt both |
|
I think we (me) may have our wires crossed - in my opinion, the ideal would be to encrypt client_secret and hash access_token. Where we are at the moment is that access_token's are hashed (I do not want to change this) and client_secret is encrypted. If the IV issue has been resolved in cake core (as per your link), then the only thing I think needs changing is to add automatic decryption of client_secret in afterFind (as per my previous comment) |
Ah, okay then. That's exactly where we will be when this gets in.
Yes. The IV is fixed in the core. I will adjust this PR as per your comment as soon as time permits. |
|
Awesome - sorry for the confusion |
|
@rchavik Is this still planned? |
|
@dereuromark I don't think I'll be able to polish this further to a mergable PR. Also, I'm not sure yet how it would fit/look with the next version that thom had in mind. |
This changeset addresses issue #26:
name,createdandmodifiedfields forclientsOAuthUtilityclass and trying to be BC. This class would also later be used to implement the oauth-php interface methods.Note: