Add `client_secret_path` as alternative for `client_secret` for OIDC config (#16030)

author: Maximilian Bosch <maximilian@mbosch.me> 2023-08-21 21:32:17 +0200
committer: GitHub <noreply@github.com> 2023-08-21 19:32:17 +0000
commit: d6ae4041a4c014a8c234f1afccc80867bf5b7df0 (patch)
tree: cf6c959146ed4bf2cef7d6a6b56e8e719099c27b /synapse
parent: Implements a task scheduler for resumable potentially long running tasks (#15... (diff)
download: synapse-d6ae4041a4c014a8c234f1afccc80867bf5b7df0.tar.xz
1 files changed, 15 insertions, 1 deletions
diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
index 77c1d1dc8e..574d6afb95 100644
--- a/synapse/config/oidc.py
+++ b/synapse/config/oidc.py
@@ -280,6 +280,20 @@ def _parse_oidc_config_dict(
         for x in oidc_config.get("attribute_requirements", [])
     ]
 
+    # Read from either `client_secret_path` or `client_secret`. If both exist, error.
+    client_secret = oidc_config.get("client_secret")
+    client_secret_path = oidc_config.get("client_secret_path")
+    if client_secret_path is not None:
+        if client_secret is None:
+            client_secret = read_file(
+                client_secret_path, config_path + ("client_secret_path",)
+            ).rstrip("\n")
+        else:
+            raise ConfigError(
+                "Cannot specify both client_secret and client_secret_path",
+                config_path + ("client_secret",),
+            )
+
     return OidcProviderConfig(
         idp_id=idp_id,
         idp_name=oidc_config.get("idp_name", "OIDC"),
@@ -288,7 +302,7 @@ def _parse_oidc_config_dict(
         discover=oidc_config.get("discover", True),
         issuer=oidc_config["issuer"],
         client_id=oidc_config["client_id"],
-        client_secret=oidc_config.get("client_secret"),
+        client_secret=client_secret,
         client_secret_jwt_key=client_secret_jwt_key,
         client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),
         pkce_method=oidc_config.get("pkce_method", "auto"),
author	Maximilian Bosch <maximilian@mbosch.me>	2023-08-21 21:32:17 +0200
committer	GitHub <noreply@github.com>	2023-08-21 19:32:17 +0000
commit	d6ae4041a4c014a8c234f1afccc80867bf5b7df0 (patch)
tree	cf6c959146ed4bf2cef7d6a6b56e8e719099c27b /synapse
parent	Implements a task scheduler for resumable potentially long running tasks (#15... (diff)
download	synapse-d6ae4041a4c014a8c234f1afccc80867bf5b7df0.tar.xz