on 2020 Dec 02 5:29 PM
Hi Experts,
it would be nice if someone could help me understand a little bit better the behavior of service-keys.
I created more different services keys for the same instance, but I realized that the generated verificationkey and clientsecret are all the same. Even more I don't see any differences between this keys. Is this the right behavior or is there a bug?
Additionally I tried to restrict the authorisation by setting a scope. May I able to use the parameters for this? Is this the right way of doing this?
xs create-service-key SERVICE_INSTANCE SERVICE_KEY [-c PARAMETERS]
xs create-service-key app.nephro-uaa extern-nephro-uaa -c "{\""scope\"": \""test\""}"
Thanks
>Even more I don't see any differences between this keys. Is this the right behavior or is there a bug?
This is not a bug. Service Brokers are not required to generate an unique set of credentials per service key. You will find that many services both in XSA and on SAP Cloud Platform Cloud Foundry do not generate unique credentials per service key.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for clarifying this!
But unfortunately for this moment I don't see the sense, for the usage of different services-keys with the same keys.
Maybe someone can also reply to my second question.
I was able to create the service-key with a futher more parameter "scope", but can't see this attribute within the result of the json object.
According to the motto "better late than never", I would like to point out that this is a security risk. A set of credentials does not only include the client secret, but also the client id. If you generate (and use) the same id for different clients, it goes against the very definition of an "id".
About params for service key, my assumption would be, params only relevant for credentials section. So "scope" wouldn't be taken into account.
One possible value, I guess:
{
"credential-type": "X509_GENERATED"
}
or
{
"credential-type": "X509_GENERATED",
"certificate": "abcd1234"
}
So your app can support access with client_secret and certificate, depending on the parameter during creation
But I haven't tried it
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
71 | |
11 | |
10 | |
10 | |
10 | |
8 | |
7 | |
7 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.