From 23ef2c330612d517c39f5d204ce8e7ca84641ee0 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Fri, 24 Oct 2025 18:47:55 +0300
Subject: [PATCH] Add environment variable support for OIDC client secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add support for loading OIDC client secret from TOOLHIVE_OIDC_CLIENT_SECRET
environment variable. This enables Kubernetes-native secret injection via
SecretKeyRef in future operator enhancements.

The change is backward compatible - if the environment variable is not set,
the behavior remains unchanged (uses config.ClientSecret as before).

This is preparatory work for adding SecretKeyRef support to InlineOIDCConfig
in the operator, which will be implemented in a follow-up PR.

Related to #2321

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 pkg/auth/token.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/auth/token.go b/pkg/auth/token.go
index c35d8b36f..ab84ca0be 100644
--- a/pkg/auth/token.go
+++ b/pkg/auth/token.go
@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -541,6 +542,14 @@ func NewTokenValidator(ctx context.Context, config TokenValidatorConfig) (*Token
 		registry.AddProvider(NewGoogleProvider(config.IntrospectionURL))
 	}
 
+	// Load client secret from environment variable if not provided in config
+	// This allows secrets to be injected via Kubernetes Secret references
+	if config.ClientSecret == "" {
+		if envSecret := os.Getenv("TOOLHIVE_OIDC_CLIENT_SECRET"); envSecret != "" {
+			config.ClientSecret = envSecret
+		}
+	}
+
 	// Add RFC7662 provider with auth if configured
 	if config.ClientID != "" || config.ClientSecret != "" {
 		rfc7662Provider, err := NewRFC7662ProviderWithAuth(