studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add an option to read SSO client secret from a file

Browse Source
This commit is contained in:
Vladislav Grechannik
2026-01-10 03:16:00 +01:00
parent bd0a0acf4a
commit fc104d02a4
3 changed files with 59 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/core/config/check.rs
View File

@@ -288,6 +288,35 @@ pub fn check(config: &Config) -> Result {
)); ));
} }
for (i, provider) in config.identity_provider.iter().enumerate() {
if provider.client_secret.is_some() {
continue;
}
let Some(secret_path) = &provider.client_secret_file else {
return Err!(Config(
"client_secret",
"Either client secret or a client secret file must be set on identity provider \
{i}."
));
};
let Ok(secret) = std::fs::read_to_string(secret_path) else {
return Err!(Config(
"client_secret_file",
"Client secret file was specified but failed to be read at identity provider \
{i}"
));
};
if secret.is_empty() {
return Err!(Config(
"client_secret_file",
"Client secret file was specified but is empty on identity provider №{i}"
));
}
}
Ok(()) Ok(())
} }

25
src/core/config/mod.rs
View File

@@ -2517,7 +2517,15 @@ pub struct IdentityProvider {
/// Secret key the provider generated for you along with the `client_id` /// Secret key the provider generated for you along with the `client_id`
/// above. Unlike the `client_id`, the `client_secret` can be changed here /// above. Unlike the `client_id`, the `client_secret` can be changed here
/// whenever the provider regenerates one for you. /// whenever the provider regenerates one for you.
pub client_secret: String, pub client_secret: Option<String>,
/// Secret key to use that's read from the file path specified.
///
/// This takes priority over "client_secret" first, and falls back to
/// "client_secret" if invalid or failed to open.
///
/// example: "/etc/tuwunel/.client_secret"
pub client_secret_file: Option<PathBuf>,
/// The callback URL configured when registering the OAuth application with /// The callback URL configured when registering the OAuth application with
/// the provider. Tuwunel's callback URL must be strictly formatted exactly /// the provider. Tuwunel's callback URL must be strictly formatted exactly
@@ -2613,6 +2621,21 @@ pub struct IdentityProvider {
impl IdentityProvider { impl IdentityProvider {
#[must_use] #[must_use]
pub fn id(&self) -> &str { self.client_id.as_str() } pub fn id(&self) -> &str { self.client_id.as_str() }
pub async fn get_client_secret(&self) -> Result<String> {
if let Some(client_secret) = &self.client_secret {
return Ok(client_secret.clone());
}
futures::future::OptionFuture::from(
self.client_secret_file
.as_ref()
.map(tokio::fs::read_to_string),
)
.await
.transpose()?
.ok_or_else(|| err!("No client secret or client secret file configured"))
}
} }
impl Hash for IdentityProvider { impl Hash for IdentityProvider {

8
src/service/oauth/mod.rs
View File

@@ -97,9 +97,11 @@ pub async fn revoke_token(&self, (provider, session): (&Provider, &Session)) ->
client_secret: &'a str, client_secret: &'a str,
} }
let client_secret = provider.get_client_secret().await?;
let query = RevokeQuery { let query = RevokeQuery {
client_id: &provider.client_id, client_id: &provider.client_id,
client_secret: &provider.client_secret, client_secret: &client_secret,
}; };
let url = provider let url = provider
@@ -130,9 +132,11 @@ pub async fn request_token(
redirect_uri: Option<&'a str>, redirect_uri: Option<&'a str>,
} }
let client_secret = provider.get_client_secret().await?;
let query = TokenQuery { let query = TokenQuery {
client_id: &provider.client_id, client_id: &provider.client_id,
client_secret: &provider.client_secret, client_secret: &client_secret,
grant_type: "authorization_code", grant_type: "authorization_code",
code, code,
code_verifier: session.code_verifier.as_deref(), code_verifier: session.code_verifier.as_deref(),