Security
In general most OAuth 2.0 security guidelines apply to Ory Polis as well but there are a few minor differences.
Tenancy
OAuth 2.0 is typically a single instance and all users can login using the same instance. However SAML is based on an specific instance that your customers have to configure with their Identity Provider. This means that access to the SAML instance is limited to only those that have been provisioned for it, adding another layer of security to the login flow.
Client secret
The Config API returns a client_id and client_secret that you can save for each customer and use when initiating the OAuth 2.0
flow. However for convenience we also let you use a tenant and product instead since this doesn't require you to store any
additional data. When using this we recommend you use the
CLIENT_SECRET_VERIFIER configuration and not use the default dummy value. The
client_secret cannot really be misused because as you will see in the next section the tokens are short lived but it is a good
idea to set the client_secret to something that is really a secret.
For client-side logins we highly recommend you use the PKCE flow which is supported by Ory Polis. This ensures a secure login
without revealing the client_secret on the client-side.
Tokens
The tokens generated by Ory Polis are short lived (default is 5 minutes) and hence there is no risk of it being misused even if
the client_secret is known. Your SAML provider ensures that there can be no unauthorized.
Software bill of materials reports
SBOM is a list of components in a piece of software. It is like a list of ingredients of a product and is quickly becoming a standard for software supply chain risk management. The ecosystem is growing with tools that help you verify, scan and monitor all your dependencies.
Report standards
SBOM reports primarily use SPDX & CycloneDX standards.
Reports
This is supported for all versions >=0.3.8.
You can find the SBOM reports as artifacts in the Ory container registry at the locations below. They are updated every time there is change in the codebase and tagged by the exact version we release.
| Location | Files | Context |
|---|---|---|
ghcr.io/ory/polis/sbom:service-<version> | sbom.spdx, sbom.cyclonedx | Ory Polis service |
ghcr.io/ory/polis/sbom:npm-<version> | sbom.spdx, sbom.cyclonedx | NPM package |
ghcr.io/ory/polis/sbom:docker-<version> | sbom.spdx, sbom.cyclonedx | Docker Image for Ory Polis service |
You can use oras or a similar OCI artifacts tool to retrieve these files.
oras pull ghcr.io/ory/polis/sbom:service-<version>