From 114fd29c77ed5e70442c5daa1698fd4854cd3cce Mon Sep 17 00:00:00 2001
From: Ryan Dens <ryandens735@gmail.com>
Date: Tue, 18 Jun 2024 09:35:46 -0700
Subject: [PATCH] Provide keyringName configuration to OIDC CredentialsProvider
 lookup

Co-authored-by: Sergey Beryozkin <sberyozkin@gmail.com>
---
 ...ecurity-oidc-code-flow-authentication.adoc |  4 ++++
 ...urity-openid-connect-client-reference.adoc |  4 ++++
 ...ication-oidc-client-credentials.properties |  1 +
 .../oidc/common/runtime/OidcCommonConfig.java | 20 ++++++++++++++++++-
 .../oidc/common/runtime/OidcCommonUtils.java  |  5 ++---
 .../io/quarkus/oidc/test/SecretProvider.java  |  6 +++++-
 .../resources/application-dev-mode.properties |  1 +
 7 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc b/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
index 15ecefed83af4..761f861e5a680 100644
--- a/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
+++ b/docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
@@ -133,6 +133,8 @@ quarkus.oidc.client-id=quarkus-app
 
 # This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
 quarkus.oidc.credentials.client-secret.provider.key=mysecret-key
+# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
+quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
 # Set it only if more than one CredentialsProvider can be registered
 quarkus.oidc.credentials.client-secret.provider.name=oidc-credentials-provider
 ----
@@ -165,6 +167,8 @@ quarkus.oidc.client-id=quarkus-app
 
 # This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
 quarkus.oidc.credentials.jwt.secret-provider.key=mysecret-key
+# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
+quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
 # Set it only if more than one CredentialsProvider can be registered
 quarkus.oidc.credentials.jwt.secret-provider.name=oidc-credentials-provider
 ----
diff --git a/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc b/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc
index 6bceac124346a..73ccafa26060b 100644
--- a/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc
+++ b/docs/src/main/asciidoc/security-openid-connect-client-reference.adoc
@@ -725,6 +725,8 @@ quarkus.oidc-client.client-id=quarkus-app
 
 # This key is used to retrieve a secret from the map of credentials returned from CredentialsProvider
 quarkus.oidc-client.credentials.client-secret.provider.key=mysecret-key
+# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
+quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
 # Set it only if more than one CredentialsProvider can be registered
 quarkus.oidc-client.credentials.client-secret.provider.name=oidc-credentials-provider
 ----
@@ -757,6 +759,8 @@ quarkus.oidc-client.client-id=quarkus-app
 
 # This is a key that will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
 quarkus.oidc-client.credentials.jwt.secret-provider.key=mysecret-key
+# This is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
+quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
 # Set it only if more than one CredentialsProvider can be registered
 quarkus.oidc-client.credentials.jwt.secret-provider.name=oidc-credentials-provider
 ----
diff --git a/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials.properties b/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials.properties
index fa819fb5570e1..15d8fef4f398c 100644
--- a/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials.properties
+++ b/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials.properties
@@ -5,4 +5,5 @@ quarkus.oidc.credentials.secret=secret
 quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
 quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
 quarkus.oidc-client.credentials.client-secret.provider.name=vault-secret-provider
+quarkus.oidc-client.credentials.client-secret.provider.keyring-name=oidc
 quarkus.oidc-client.credentials.client-secret.provider.key=secret-from-vault
\ No newline at end of file
diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
index 3bd6aef0eac40..59520713f129f 100644
--- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
+++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
@@ -467,12 +467,22 @@ public void setAssertion(boolean assertion) {
         public static class Provider {
 
             /**
-             * The CredentialsProvider name, which should only be set if more than one CredentialsProvider is
+             * The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is
              * registered
              */
             @ConfigItem
             public Optional<String> name = Optional.empty();
 
+            /**
+             * The CredentialsProvider keyring name.
+             * The keyring name is only required when the CredentialsProvider being
+             * used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is
+             * shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret
+             * manager
+             */
+            @ConfigItem
+            public Optional<String> keyringName = Optional.empty();
+
             /**
              * The CredentialsProvider client secret key
              */
@@ -487,6 +497,14 @@ public void setName(String name) {
                 this.name = Optional.of(name);
             }
 
+            public Optional<String> getKeyringName() {
+                return keyringName;
+            }
+
+            public void setKeyringName(String keyringName) {
+                this.keyringName = Optional.of(keyringName);
+            }
+
             public Optional<String> getKey() {
                 return key;
             }
diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
index 573136997bd8e..eb6d4df5c5f03 100644
--- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
+++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
@@ -319,10 +319,9 @@ private static Supplier<? extends String> fromCredentialsProvider(Provider provi
             public String get() {
                 if (provider.key.isPresent()) {
                     String providerName = provider.name.orElse(null);
+                    String keyringName = provider.keyringName.orElse(null);
                     CredentialsProvider credentialsProvider = CredentialsProviderFinder.find(providerName);
-                    if (credentialsProvider != null) {
-                        return credentialsProvider.getCredentials(providerName).get(provider.key.get());
-                    }
+                    return credentialsProvider.getCredentials(keyringName).get(provider.key.get());
                 }
                 return null;
             }
diff --git a/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/SecretProvider.java b/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/SecretProvider.java
index 54c04f4eb32f3..88446d8465c53 100644
--- a/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/SecretProvider.java
+++ b/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/SecretProvider.java
@@ -14,7 +14,11 @@ public class SecretProvider implements CredentialsProvider {
 
     @Override
     public Map<String, String> getCredentials(String credentialsProviderName) {
-        return Collections.singletonMap("secret-from-vault", "secret");
+        if ("oidc".equals(credentialsProviderName)) {
+            return Collections.singletonMap("secret-from-vault", "secret");
+        } else {
+            return Map.of();
+        }
     }
 
 }
diff --git a/extensions/oidc/deployment/src/test/resources/application-dev-mode.properties b/extensions/oidc/deployment/src/test/resources/application-dev-mode.properties
index faf2273824d87..6404454372c64 100644
--- a/extensions/oidc/deployment/src/test/resources/application-dev-mode.properties
+++ b/extensions/oidc/deployment/src/test/resources/application-dev-mode.properties
@@ -2,6 +2,7 @@ quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus
 quarkus.oidc.tenant-enabled=false
 quarkus.oidc.client-id=${oidc.client-id}
 quarkus.oidc.credentials.client-secret.provider.name=vault-secret-provider
+quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
 # This is a wrong client secret key, will be updated to 'secret-from-vault' in the dev mode test
 quarkus.oidc.credentials.client-secret.provider.key=secret-from-vault-typo
 quarkus.oidc.application-type=web-app