oidc: add client_secret_file as alternative for client_secret

That way you don't have to leak your bind password into your config. Useful for e.g. NixOS where config is stored in a world-readable location. Tested against a live synapse instance with authentik as OIDC provider. Signed-off-by: Maximilian Bosch <[email protected]>
matrix-org · Jul 30, 2023 · fcdc6a6 · fcdc6a6
1 parent 68b2611
commit fcdc6a6
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
@@ -3170,6 +3170,10 @@ Options for each entry include:
 * `client_secret`: oauth2 client secret to use. May be omitted if
   `client_secret_jwt_key` is given, or if `client_auth_method` is 'none'.
 
+* `client_secret_file`: path to the oauth2 client secret to use. With that
+   it's not necessary to leak secrets into the config file itself.
+   Mutually exclusive with `client_secret`.
+
 * `client_secret_jwt_key`: Alternative to client_secret: details of a key used
    to create a JSON Web Token to be used as an OAuth2 client secret. If
    given, must be a dictionary with the following properties:

diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 from collections import Counter
+from os.path import isfile
 from typing import Any, Collection, Iterable, List, Mapping, Optional, Tuple, Type
 
 import attr
@@ -280,6 +281,24 @@ def _parse_oidc_config_dict(
         for x in oidc_config.get("attribute_requirements", [])
     ]
 
+    # check for `client_secret_file` vs `client_secret`
+    client_secret = oidc_config.get('client_secret')
+    client_secret_file = oidc_config.get('client_secret_file')
+    if client_secret_file is not None:
+        if client_secret is None:
+            if not isfile(client_secret_file):
+                raise ConfigError(
+                    "client_secret_file was specified, but doesn't point to a file!",
+                    config_path + ("client_secret_file",)
+                )
+            with open(client_secret_file, "r") as f:
+                client_secret = f.read().strip("\n")
+        else:
+            raise ConfigError(
+                "cannot specify both client_secret and client_secret_file",
+                config_path
+            )
+
     return OidcProviderConfig(
         idp_id=idp_id,
         idp_name=oidc_config.get("idp_name", "OIDC"),
@@ -288,7 +307,7 @@ def _parse_oidc_config_dict(
         discover=oidc_config.get("discover", True),
         issuer=oidc_config["issuer"],
         client_id=oidc_config["client_id"],
-        client_secret=oidc_config.get("client_secret"),
+        client_secret=client_secret,
         client_secret_jwt_key=client_secret_jwt_key,
         client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),
         pkce_method=oidc_config.get("pkce_method", "auto"),