Skip to content

Commit a48b3e2

Browse files
authored
Merge pull request #26 from itk-dev/feature/fix_defaults
Set default for ADMIN_OIDC_ALLOW_HTTP to false
2 parents 3e33465 + 93e8b18 commit a48b3e2

2 files changed

Lines changed: 5 additions & 2 deletions

File tree

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ All notable changes to this project will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
77

8+
## [Unreleased]
9+
- Set default for ADMIN_OIDC_ALLOW_HTTP to false in README to prevent unsafe settings in production
10+
811
## [4.0.1] - 2025-01-16
912
- Fix doctrine/orm require
1013

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ itkdev_openid_connect:
7171
# Optional: Specify leeway (seconds) to account for clock skew between provider and hosting
7272
# Defaults to 10
7373
leeway: '%env(int:ADMIN_OIDC_LEEWAY)%'
74-
# Optional: Allow http requests (used for mocking a IdP)
74+
# Optional: Allow (non-secure) http requests (used for mocking a IdP). NOT RECOMMENDED FOR PRODUCTION.
7575
# Defaults to false
7676
allow_http: '%env(bool:ADMIN_OIDC_ALLOW_HTTP)%'
7777
user:
@@ -96,7 +96,7 @@ ADMIN_OIDC_CLIENT_ID=ADMIN_APP_CLIENT_ID
9696
ADMIN_OIDC_CLIENT_SECRET=ADMIN_APP_CLIENT_SECRET
9797
ADMIN_OIDC_REDIRECT_URI=ADMIN_APP_REDIRECT_URI
9898
ADMIN_OIDC_LEEWAY=30
99-
ADMIN_OIDC_ALLOW_HTTP=true
99+
ADMIN_OIDC_ALLOW_HTTP=false
100100
101101
# "user" open id connect configuration variables
102102
USER_OIDC_METADATA_URL=USER_APP_METADATA_URL

0 commit comments

Comments
 (0)