Layer7 API Management

 View Only

 Text format store of Oauth Token and User Credentials (API Key/Secret) in internal database

Kuldeep H's profile image
Kuldeep H posted Jul 23, 2024 07:31 AM

Data like Oauth Token, key & Secrets are stored in text format in the databases which are internally integrated with gateways. Although Data stored in the database can be accessed by Gateway only, this point should be always mitigated by having encryption or masking over such data while storing in internal databases. Community, have a look into this and share your views.

Raju Gurram's profile image
Broadcom Employee Raju Gurram

@Kuldeep H Agree that, secrets should be secured at rest using encryption.

In this case, OAUTH client secrets must be secured either by encryption or hashing. I guess, both OTK and Portal do support this.

OAuth client keys: should we really need to secure them?

OAuth tokens (id tokens, refresh tokens, access tokens, etc) should be considered for extra protection conditionally. For example, securing them at rest can be ignored if they are short-lived in nature. Otherwise, we might need to consider them as well for securing them at rest. This can be voted to see in the product. How many of us interested on this?!

Gregory Thompson's profile image
Broadcom Employee Gregory Thompson

As mentioned by Raju, secret hashing is supported to protect the credentials. Encryption of tokens is not something that I've seen requested from other customers but I would encourage you to post an idea here within the community to see if others are keen to have this supported. In some cases the entire DB can be setup for encryption, but if best practices are followed for short-lived tokens, or JWT tokens are used instead of opaque tokens, then the need for encryption is very low.