Bug: AD Credentials get saved in plain-text and are undeleteable

I just realized if I configure an Active Directory in Radzen's security-settings the provided credentials get saved in plain-text to server\appsettings.json

But what's even worse is when I disable this security-measure the plain-text username/password do not get deleted.

Now if I find the credentials while checking in my data I probably want do undo it.
So I go again into Radzen security-settings, enable AD-Authorization aaaaaand, the configured data is gone, the username/password fields are empty, it looks like there was never ever something configured, but the plain-text credentials stay in the files.

Indeed the AD credentials are saved in the appsettings.json file. Those credentials are needed to authenticate against the AD server. Is this what you consider a bug or the fact that the settings remain in the appsettings.json after disabling AD security?

I consider plain-text saved credentials a security risk and undeleteable credentials a bug. Sure you can delete them manually, but you have to know about them staying there first ...

How about you delete them when the auth-settings change? When the app doesn't show them anymore you are save to delete that part in the files too.

I consider plain-text saved credentials a security risk

We are doing that to simplify development and deployment tasks. We could set passwords via environment variables but this will only work during development.

Unfortunately the officially supported ways to store secrets in .NET Core are either only for development (env variables and safe storage) or required a third party service (Azure key vault storage).

How do you typically store secrets in your application? Perhaps the same mechanism can be used with Radzen.

How about you delete them when the auth-settings change?

We will do so!

1 Like

I am by far no expert in that matter, so I cannot give any reasonable good input on the storage question. But if the state of the credentials (existing or not) is reflecting in the application I think the most important part is done.