Skip to content

Commit

Permalink
Merge pull request quarkusio#41293 from ryandens/ryandens/41265/oidc-…
Browse files Browse the repository at this point in the history 
…keyring-name

Provide keyringName configuration to OIDC CredentialsProvider lookup
  • Loading branch information
@sberyozkin
sberyozkin authored Jun 19, 2024
2 parents 74a9386 + 114fd29 commit 112c7c3
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 5 deletions.
4 changes: 4 additions & 0 deletions docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,8 @@ quarkus.oidc.client-id=quarkus-app
# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.client-secret.provider.key=mysecret-key
# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.client-secret.provider.name=oidc-credentials-provider
----
Expand Down Expand Up @@ -165,6 +167,8 @@ quarkus.oidc.client-id=quarkus-app
# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.jwt.secret-provider.key=mysecret-key
# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.jwt.secret-provider.name=oidc-credentials-provider
----
Expand Down
4 changes: 4 additions & 0 deletions docs/src/main/asciidoc/security-openid-connect-client-reference.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -725,6 +725,8 @@ quarkus.oidc-client.client-id=quarkus-app
# This key is used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc-client.credentials.client-secret.provider.key=mysecret-key
# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc-client.credentials.client-secret.provider.name=oidc-credentials-provider
----
Expand Down Expand Up @@ -757,6 +759,8 @@ quarkus.oidc-client.client-id=quarkus-app
# This is a key that will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc-client.credentials.jwt.secret-provider.key=mysecret-key
# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc-client.credentials.jwt.secret-provider.name=oidc-credentials-provider
----
Expand Down
1 change: 1 addition & 0 deletions .../oidc-client/deployment/src/test/resources/application-oidc-client-credentials.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ quarkus.oidc.credentials.secret=secret
quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.client-secret.provider.name=vault-secret-provider
quarkus.oidc-client.credentials.client-secret.provider.keyring-name=oidc
quarkus.oidc-client.credentials.client-secret.provider.key=secret-from-vault
20 changes: 19 additions & 1 deletion ...ns/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -467,12 +467,22 @@ public void setAssertion(boolean assertion) {
public static class Provider {

/**
* The CredentialsProvider name, which should only be set if more than one CredentialsProvider is
* The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is
* registered
*/
@ConfigItem
public Optional<String> name = Optional.empty();

/**
* The CredentialsProvider keyring name.
* The keyring name is only required when the CredentialsProvider being
* used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is
* shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret
* manager
*/
@ConfigItem
public Optional<String> keyringName = Optional.empty();

/**
* The CredentialsProvider client secret key
*/
Expand All @@ -487,6 +497,14 @@ public void setName(String name) {
this.name = Optional.of(name);
}

public Optional<String> getKeyringName() {
return keyringName;
}

public void setKeyringName(String keyringName) {
this.keyringName = Optional.of(keyringName);
}

public Optional<String> getKey() {
return key;
}
Expand Down
5 changes: 2 additions & 3 deletions ...ons/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,10 +319,9 @@ private static Supplier<? extends String> fromCredentialsProvider(Provider provi
public String get() {
if (provider.key.isPresent()) {
String providerName = provider.name.orElse(null);
String keyringName = provider.keyringName.orElse(null);
CredentialsProvider credentialsProvider = CredentialsProviderFinder.find(providerName);
if (credentialsProvider != null) {
return credentialsProvider.getCredentials(providerName).get(provider.key.get());
}
return credentialsProvider.getCredentials(keyringName).get(provider.key.get());
}
return null;
}
Expand Down
6 changes: 5 additions & 1 deletion extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/SecretProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,11 @@ public class SecretProvider implements CredentialsProvider {

@Override
public Map<String, String> getCredentials(String credentialsProviderName) {
return Collections.singletonMap("secret-from-vault", "secret");
if ("oidc".equals(credentialsProviderName)) {
return Collections.singletonMap("secret-from-vault", "secret");
} else {
return Map.of();
}
}

}
1 change: 1 addition & 0 deletions extensions/oidc/deployment/src/test/resources/application-dev-mode.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus
quarkus.oidc.tenant-enabled=false
quarkus.oidc.client-id=${oidc.client-id}
quarkus.oidc.credentials.client-secret.provider.name=vault-secret-provider
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# This is a wrong client secret key, will be updated to 'secret-from-vault' in the dev mode test
quarkus.oidc.credentials.client-secret.provider.key=secret-from-vault-typo
quarkus.oidc.application-type=web-app
Expand Down

0 comments on commit 112c7c3

Please sign in to comment.