From b1197c0303cf84632ce8cff9e6d77352a2513eba Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sun, 30 Jul 2023 22:16:46 +0200 Subject: [PATCH 1/3] oidc: add `client_secret_path` as alternative for `client_secret` That way you don't have to leak your bind password into your config. Useful for e.g. NixOS where config is stored in a world-readable location. Tested against a live synapse instance with authentik as OIDC provider. Signed-off-by: Maximilian Bosch --- changelog.d/16030.feature | 1 + docs/usage/configuration/config_documentation.md | 4 ++++ synapse/config/oidc.py | 16 +++++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 changelog.d/16030.feature diff --git a/changelog.d/16030.feature b/changelog.d/16030.feature new file mode 100644 index 000000000000..fd8dbb1d33ac --- /dev/null +++ b/changelog.d/16030.feature @@ -0,0 +1 @@ +Allow specifying `client_secret_path` as alternative to `client_secret` for OIDC providers. That way, the client secret doesn't need to be leaked into the homeserver config. Contributed by @Ma27. diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 4e6fcd085acb..abb7178a558f 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3170,6 +3170,10 @@ Options for each entry include: * `client_secret`: oauth2 client secret to use. May be omitted if `client_secret_jwt_key` is given, or if `client_auth_method` is 'none'. +* `client_secret_path`: path to the oauth2 client secret to use. With that + it's not necessary to leak secrets into the config file itself. + Mutually exclusive with `client_secret`. + * `client_secret_jwt_key`: Alternative to client_secret: details of a key used to create a JSON Web Token to be used as an OAuth2 client secret. If given, must be a dictionary with the following properties: diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py index 77c1d1dc8e0f..574d6afb9552 100644 --- a/synapse/config/oidc.py +++ b/synapse/config/oidc.py @@ -280,6 +280,20 @@ def _parse_oidc_config_dict( for x in oidc_config.get("attribute_requirements", []) ] + # Read from either `client_secret_path` or `client_secret`. If both exist, error. + client_secret = oidc_config.get("client_secret") + client_secret_path = oidc_config.get("client_secret_path") + if client_secret_path is not None: + if client_secret is None: + client_secret = read_file( + client_secret_path, config_path + ("client_secret_path",) + ).rstrip("\n") + else: + raise ConfigError( + "Cannot specify both client_secret and client_secret_path", + config_path + ("client_secret",), + ) + return OidcProviderConfig( idp_id=idp_id, idp_name=oidc_config.get("idp_name", "OIDC"), @@ -288,7 +302,7 @@ def _parse_oidc_config_dict( discover=oidc_config.get("discover", True), issuer=oidc_config["issuer"], client_id=oidc_config["client_id"], - client_secret=oidc_config.get("client_secret"), + client_secret=client_secret, client_secret_jwt_key=client_secret_jwt_key, client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"), pkce_method=oidc_config.get("pkce_method", "auto"), From 8061107e9203aba40365c7872e8f7ba67fd74240 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 16 Aug 2023 13:08:49 +0200 Subject: [PATCH 2/3] docs & changelog: improve wording Co-authored-by: Patrick Cloke Signed-off-by: Maximilian Bosch --- changelog.d/16030.feature | 2 +- docs/usage/configuration/config_documentation.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/changelog.d/16030.feature b/changelog.d/16030.feature index fd8dbb1d33ac..c2f068085f1d 100644 --- a/changelog.d/16030.feature +++ b/changelog.d/16030.feature @@ -1 +1 @@ -Allow specifying `client_secret_path` as alternative to `client_secret` for OIDC providers. That way, the client secret doesn't need to be leaked into the homeserver config. Contributed by @Ma27. +Allow specifying `client_secret_path` as alternative to `client_secret` for OIDC providers. This avoids leaking the client secret in the homeserver config. Contributed by @Ma27. diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index abb7178a558f..8c3c99d42c35 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3169,10 +3169,12 @@ Options for each entry include: * `client_secret`: oauth2 client secret to use. May be omitted if `client_secret_jwt_key` is given, or if `client_auth_method` is 'none'. + Must be omitted if `client_secret_path` is specified. * `client_secret_path`: path to the oauth2 client secret to use. With that it's not necessary to leak secrets into the config file itself. - Mutually exclusive with `client_secret`. + Mutually exclusive with `client_secret`. Can be omitted if + `client_secret_jwt_key` is specified. * `client_secret_jwt_key`: Alternative to client_secret: details of a key used to create a JSON Web Token to be used as an OAuth2 client secret. If From 4a401ddf6f1abe71805ed44b0d31ef7481db2d80 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Mon, 21 Aug 2023 12:30:25 -0400 Subject: [PATCH 3/3] Note version added. --- docs/usage/configuration/config_documentation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 8c3c99d42c35..07947f0beba1 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3176,6 +3176,8 @@ Options for each entry include: Mutually exclusive with `client_secret`. Can be omitted if `client_secret_jwt_key` is specified. + *Added in Synapse 1.91.0.* + * `client_secret_jwt_key`: Alternative to client_secret: details of a key used to create a JSON Web Token to be used as an OAuth2 client secret. If given, must be a dictionary with the following properties: