diff --git a/defaults/main.yml b/defaults/main.yml index 2c7f123..ed69327 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -56,6 +56,8 @@ hydra_log_leak_sensitive_values: no # Durée de vie des "refresh_token" hydra_ttl_refresh_token: "24h" +hydra_bcrypt_cost: 8 + # This value should not be changed after first deployment ! hydra_secrets_seed: "{{ inventory_hostname }}" diff --git a/sso.schema.yml b/sso.schema.yml index 27af98e..6699a0a 100644 --- a/sso.schema.yml +++ b/sso.schema.yml @@ -89,6 +89,10 @@ properties: hydra_ttl_refresh_token: type: string + hydra_brypt_cost: + type: number + description: Coût CPU pour calculer des hachages de secret (4-31) + # This value should not be changed after first deployment ! hydra_secrets_seed: type: string diff --git a/templates/cadoles-pod-hydra-v1.conf.j2 b/templates/cadoles-pod-hydra-v1.conf.j2 index f98951a..129c495 100644 --- a/templates/cadoles-pod-hydra-v1.conf.j2 +++ b/templates/cadoles-pod-hydra-v1.conf.j2 @@ -25,5 +25,6 @@ PODMAN_ARGS="\ {% endif %} -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \ -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \ + -e 'HYDRA_BCRYPT_COST={{ hydra_bcrypt_cost }}' \ -v /etc/hydra/clients.d:/etc/hydra/clients.d \ "