To enhance security and simplify credential management, PlainID supports referencing secrets for authentication when configuring PIP Data Sources. Instead of embedding sensitive values directly in configuration files, you can store them in a supported Secret Store and reference them securely. This approach supports automated secret rotation and reduces the risk of credential exposure.
The following sections explain how to use secret annotations in OAuth configurations and outline how secret management enables seamless updates without service interruption.
Using Secret Annotations in OAuth Configuration
In OAuth authentication, you can reference a secret from a secret store within the OAuth XML configuration file. The following example demonstrates how to use a secret annotation for the client-secret field:
<application-policy name="ps-auth2-massive">
<authentication>
<login-module code="com.plainid.pip.auth.oauth.clientcredential.OAuth20ClientCredentialLoginModule" flag="required">
<module-option name="access-token-uri">https://login.microsoftonline.com/cd6168ed-fe82-4528-b2eb-4e030d322878/oauth2/v2.0/token</module-option>
<module-option name="client-id">19f4ef6c-d0dd-42f0-844c-b529b609a171</module-option>
<module-option name="client-secret">{{ printf "{{store=AWS_SECRETS_MANAGER_STORE,key=path1/path2/key}}" }}</module-option>
<module-option name="scope">https://graph.microsoft.com/.default</module-option>
</login-module>
</authentication>
</application-policy>
Secret Management and Rotation
The Client Credentials settings use a secret stored in Secret Manager (SM) for token retrieval. Secrets typically have a longer lifespan than access tokens, and Secret Manager integration ensures seamless rotation without downtime. This allows for periodic secret updates without requiring manual configuration changes.
When integrating with a secret store, both the old and new secrets can be handled simultaneously. This allows for graceful secret transitions, avoiding disruptions when rotating credentials. The system automatically retrieves the latest valid secret, ensuring continuous operation.
Note: The secrets-mgmt Redis password does not currently support secret rotation or replacement.