Storing 3rd party credentials
OX App Suite allows accessing 3rd party services via credential based authentication or OAuth-bases access. Thus, the credentials and respectively OAuth tokens for these systems need to be stored in the OX App Suite database.
Potential Security Risk
Revealing credentials of a 3rd party service or storage; e.g. through insecurely storing that information in database in plain text. In case of OAuth this security flaw is limited. The affected user may revoke granted application access at any time and/or can disable certain granted feature access.
Current Implementation and Completeness
OX App Suite middleware symmetrically encrypts every such information in database using AES and a configurable "salt". The salt may be the user’s password (thus even the client is not able to determine) or any other form of hidden, private input. A second option is to use a static key, which is partly stored in a configuration file and partly coded into the binaries. By default, password-based encryption is used (refer to option com.openexchange.secret.secretSource
in file secret.properties
).