Add `client_secret_path` as alternative for `client_secret` for OIDC config (#16030)
parent
358896e1b8
commit
d6ae4041a4
|
@ -0,0 +1 @@
|
||||||
|
Allow specifying `client_secret_path` as alternative to `client_secret` for OIDC providers. This avoids leaking the client secret in the homeserver config. Contributed by @Ma27.
|
|
@ -3204,6 +3204,14 @@ Options for each entry include:
|
||||||
|
|
||||||
* `client_secret`: oauth2 client secret to use. May be omitted if
|
* `client_secret`: oauth2 client secret to use. May be omitted if
|
||||||
`client_secret_jwt_key` is given, or if `client_auth_method` is 'none'.
|
`client_secret_jwt_key` is given, or if `client_auth_method` is 'none'.
|
||||||
|
Must be omitted if `client_secret_path` is specified.
|
||||||
|
|
||||||
|
* `client_secret_path`: path to the oauth2 client secret to use. With that
|
||||||
|
it's not necessary to leak secrets into the config file itself.
|
||||||
|
Mutually exclusive with `client_secret`. Can be omitted if
|
||||||
|
`client_secret_jwt_key` is specified.
|
||||||
|
|
||||||
|
*Added in Synapse 1.91.0.*
|
||||||
|
|
||||||
* `client_secret_jwt_key`: Alternative to client_secret: details of a key used
|
* `client_secret_jwt_key`: Alternative to client_secret: details of a key used
|
||||||
to create a JSON Web Token to be used as an OAuth2 client secret. If
|
to create a JSON Web Token to be used as an OAuth2 client secret. If
|
||||||
|
|
|
@ -280,6 +280,20 @@ def _parse_oidc_config_dict(
|
||||||
for x in oidc_config.get("attribute_requirements", [])
|
for x in oidc_config.get("attribute_requirements", [])
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Read from either `client_secret_path` or `client_secret`. If both exist, error.
|
||||||
|
client_secret = oidc_config.get("client_secret")
|
||||||
|
client_secret_path = oidc_config.get("client_secret_path")
|
||||||
|
if client_secret_path is not None:
|
||||||
|
if client_secret is None:
|
||||||
|
client_secret = read_file(
|
||||||
|
client_secret_path, config_path + ("client_secret_path",)
|
||||||
|
).rstrip("\n")
|
||||||
|
else:
|
||||||
|
raise ConfigError(
|
||||||
|
"Cannot specify both client_secret and client_secret_path",
|
||||||
|
config_path + ("client_secret",),
|
||||||
|
)
|
||||||
|
|
||||||
return OidcProviderConfig(
|
return OidcProviderConfig(
|
||||||
idp_id=idp_id,
|
idp_id=idp_id,
|
||||||
idp_name=oidc_config.get("idp_name", "OIDC"),
|
idp_name=oidc_config.get("idp_name", "OIDC"),
|
||||||
|
@ -288,7 +302,7 @@ def _parse_oidc_config_dict(
|
||||||
discover=oidc_config.get("discover", True),
|
discover=oidc_config.get("discover", True),
|
||||||
issuer=oidc_config["issuer"],
|
issuer=oidc_config["issuer"],
|
||||||
client_id=oidc_config["client_id"],
|
client_id=oidc_config["client_id"],
|
||||||
client_secret=oidc_config.get("client_secret"),
|
client_secret=client_secret,
|
||||||
client_secret_jwt_key=client_secret_jwt_key,
|
client_secret_jwt_key=client_secret_jwt_key,
|
||||||
client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),
|
client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),
|
||||||
pkce_method=oidc_config.get("pkce_method", "auto"),
|
pkce_method=oidc_config.get("pkce_method", "auto"),
|
||||||
|
|
Loading…
Reference in New Issue