Do we need to change app_password property if the authentication endpoint is hosted within the product as per the product-level-security-guidelines/

Question

This is a general question regarding whether we need to change app_password property if the authentication endpoint is hosted within the product as mentioned in the https://is.docs.wso2.com/en/5.11.0/administer/product-level-security-guidelines/Configuring client authentication

The doc states that changes are required when the authentication endpoint is hosted externally. Can you share recommendation when it is not hosted externally Note: We are using Identity Server v5.11

Answer 1

It is always recommended to change the app_password as the default password is known to everyone. The app_username & app_password is used to facilitate some backchannel calls that needed administrative privileges. However, if it is not changed, anyone could use the app_username & app_password to access endpoints in the authentication & recovery portals. Since your not hosting externally directly changing app_password in the <IS_HOME>/repository/conf/deployment.toml would do.

The better approach is to change app_password and use a proxy to only expose needed endpoints from authentication & recovery portals.