Skip to content

Commit

Permalink
Provide keyringName configuration to OIDC CredentialsProvider lookup
Browse files Browse the repository at this point in the history
Co-authored-by: Sergey Beryozkin <[email protected]>
  • Loading branch information
ryandens and sberyozkin committed Jun 18, 2024
1 parent 32b2b08 commit e2b829e
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,8 @@ quarkus.oidc.client-id=quarkus-app
# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.client-secret.provider.key=mysecret-key
# this is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.client-secret.provider.name=oidc-credentials-provider
----
Expand Down Expand Up @@ -165,6 +167,8 @@ quarkus.oidc.client-id=quarkus-app
# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.jwt.secret-provider.key=mysecret-key
# this is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.jwt.secret-provider.name=oidc-credentials-provider
----
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -725,6 +725,8 @@ quarkus.oidc-client.client-id=quarkus-app
# This key is used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc-client.credentials.client-secret.provider.key=mysecret-key
# this is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc-client.credentials.client-secret.provider.name=oidc-credentials-provider
----
Expand Down Expand Up @@ -757,6 +759,8 @@ quarkus.oidc-client.client-id=quarkus-app
# This is a key that will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc-client.credentials.jwt.secret-provider.key=mysecret-key
# this is the keyring provided to the CredentialsProvider when looking up the secret, set only if required by the CredentialsProvider implementation
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc-client.credentials.jwt.secret-provider.name=oidc-credentials-provider
----
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ quarkus.oidc.credentials.secret=secret
quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.client-secret.provider.name=vault-secret-provider
quarkus.oidc-client.credentials.client-secret.provider.keyring-name=oidc
quarkus.oidc-client.credentials.client-secret.provider.key=secret-from-vault
Original file line number Diff line number Diff line change
Expand Up @@ -467,12 +467,22 @@ public void setAssertion(boolean assertion) {
public static class Provider {

/**
* The CredentialsProvider name, which should only be set if more than one CredentialsProvider is
* The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is
* registered
*/
@ConfigItem
public Optional<String> name = Optional.empty();

/**
* The CredentialsProvider keyring name, which should always be set when using a CredentialsProvider
* to provide a secret key to this extension. The keyring name is only required when the CredentialsProvider being
* used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is
* shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret
* manager
*/
@ConfigItem
public Optional<String> keyringName = Optional.empty();

/**
* The CredentialsProvider client secret key
*/
Expand All @@ -487,6 +497,14 @@ public void setName(String name) {
this.name = Optional.of(name);
}

public Optional<String> getKeyringName() {
return keyringName;
}

public void setKeyringName(String keyringName) {
this.keyringName = Optional.of(keyringName);
}

public Optional<String> getKey() {
return key;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -319,10 +319,9 @@ private static Supplier<? extends String> fromCredentialsProvider(Provider provi
public String get() {
if (provider.key.isPresent()) {
String providerName = provider.name.orElse(null);
String keyringName = provider.keyringName.orElse(null);
CredentialsProvider credentialsProvider = CredentialsProviderFinder.find(providerName);
if (credentialsProvider != null) {
return credentialsProvider.getCredentials(providerName).get(provider.key.get());
}
return credentialsProvider.getCredentials(keyringName).get(provider.key.get());
}
return null;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,11 @@ public class SecretProvider implements CredentialsProvider {

@Override
public Map<String, String> getCredentials(String credentialsProviderName) {
return Collections.singletonMap("secret-from-vault", "secret");
if ("oidc".equals(credentialsProviderName)) {
return Collections.singletonMap("secret-from-vault", "secret");
} else {
return Map.of();
}
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus
quarkus.oidc.tenant-enabled=false
quarkus.oidc.client-id=${oidc.client-id}
quarkus.oidc.credentials.client-secret.provider.name=vault-secret-provider
quarkus.oidc.credentials.client-secret.provider.keyring-name=oidc
# This is a wrong client secret key, will be updated to 'secret-from-vault' in the dev mode test
quarkus.oidc.credentials.client-secret.provider.key=secret-from-vault-typo
quarkus.oidc.application-type=web-app
Expand Down

0 comments on commit e2b829e

Please sign in to comment.