Using Secret Manager or OAuth2 Clients for API authorization

Ignition 8.3 Early Access
1

I would like to call APIs from Ignition 8.3 that require an OKTA token. Is there any way to use the new released features to not be in the need to either have the ClientID and Secret in as plain text in the script or to build an external service that handles the token renewal and secret encryption? Tried a couple of things but I am not able to get anything working yet.

2

From the Secrets Management front: new scripting APIs will be added in one of the first minor releases following 8.3.0 (hopefully 8.3.1 :crossed_fingers:). Planned APIs (subject to change):

  • system.secrets.encrypt(plaintext)
  • system.secrets.decrypt(ciphertext)
  • system.secrets.getProviders()
    • Browse a list of secret providers configured in the system. Each list entry includes the name, description, and type of the provider.
  • system.secrets.getSecrets(providerName)
    • Browse a list of secrets configured in a secret provider referenced by name. Each list entry includes the name of the secret.
  • system.secrets.readSecretValue(providerName, secretName)
    • Read the plaintext value of a secret given the name of the provider and the name of the secret in the provider.

The above APIs will give you the opportunity to either:

  1. Embed / hard-code your encrypted secrets and use the decrypt function to decrypt the ciphertext during script runtime
  2. Store your secrets in a secret provider and use the scripting function to read the secret's plaintext value during script runtime

I recommend approach #2 above as it is easier to manage your secrets if they are all in providers instead of sprawled all over the place.

If your token happens to be an OAuth2-based token, we have OAuth2 clients as a first-class Ignition feature, and we plan on adding scripting functions to interface with those in the future as well, which might give you another option.

8 Likes