Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add client_secret_path as alternative for client_secret for OIDC config #16030

Merged
merged 3 commits into from
Aug 21, 2023
Merged

Add client_secret_path as alternative for client_secret for OIDC config #16030

merged 3 commits into from
Aug 21, 2023

Conversation

Ma27
Copy link
Contributor

@Ma27 Ma27 commented Jul 30, 2023
edited
Loading

That way you don't have to leak your bind password into your config. Useful for e.g. NixOS where config is stored in a world-readable location.

Tested against a live synapse instance with authentik as OIDC provider.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Pull request includes a sign off
  • Code style is correct
    (run the linters)

@Ma27 Ma27 requested a review from a team as a code owner July 30, 2023 20:21
clokep
clokep suggested changes Aug 3, 2023
View reviewed changes
Copy link
Contributor

@clokep clokep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty reasonable; I wish we had a more abstract way of doing this instead of manually each time we want something to be a file.

docs/usage/configuration/config_documentation.md Outdated Show resolved Hide resolved
synapse/config/oidc.py Outdated Show resolved Hide resolved
synapse/config/oidc.py Outdated Show resolved Hide resolved
synapse/config/oidc.py Outdated Show resolved Hide resolved
@Ma27
oidc: add client_secret_path as alternative for client_secret
b1197c0 
That way you don't have to leak your bind password into your config.
Useful for e.g. NixOS where config is stored in a world-readable
location.

Tested against a live synapse instance with authentik as OIDC provider.

Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
@clokep clokep requested review from clokep and a team August 14, 2023 12:02
@clokep clokep changed the title oidc: add client_secret_file as alternative for client_secret Add client_secret_path as alternative for client_secret for OIDC config Aug 15, 2023
clokep
clokep reviewed Aug 15, 2023
View reviewed changes
changelog.d/16030.feature Outdated Show resolved Hide resolved
@Ma27 @clokep
docs & changelog: improve wording
8061107 
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
@Ma27
Copy link
Contributor Author

Ma27 commented Aug 21, 2023

Added relevant notes and squashed this and the previous commit together :)

@Ma27 Ma27 requested a review from clokep August 21, 2023 13:32
clokep
clokep approved these changes Aug 21, 2023
View reviewed changes
Copy link
Contributor

@clokep clokep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Sorry for the back-and-forth here.

@clokep clokep enabled auto-merge (squash) August 21, 2023 16:31
@clokep clokep merged commit d6ae404 into matrix-org:develop Aug 21, 2023
39 checks passed
@Ma27 Ma27 deleted the oidc-client_secret_file branch August 21, 2023 19:33
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@clokep clokep clokep approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Ma27 @clokep