Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does the oauthOidcAllClaims filter provide the possibility to lookup sensitive data from Kubernetes Secrets #2803

Open
lukibahr opened this issue Dec 20, 2023 · 7 comments
Labels
enhancement minor no risk changes, for example new filters

Comments

@lukibahr
Copy link

Hi folks,

we have several RouteGroups with the oauthOidcAllClaims filter set.

oauthOidcAllClaims("https://oidc-provider.example.com", "client_id", "client_secret",
    "http://target.example.com/subpath/callback", "email profile", "name email picture",
    "parameter=value", "X-Auth-Authorization:claims.email")

Is it possible or do you know a way on how to lookup the "client_secret" value from another source, like a kubernetes secret? Or is there a recommended way on how to handle these resources especially when dealing with GitOps?

Thanks and kind regards,

Lukas

@szuecs
Copy link
Member

szuecs commented Dec 20, 2023

@lukibahr That would be a feature to support which makes a lot of sense!
In skipper we would use read from file via our secrets module.

@lukibahr
Copy link
Author

@szuecs Is there a reference implementation already in skipper where we use the secrets module?

@szuecs
Copy link
Member

szuecs commented Dec 21, 2023

In many auth filters it is in use or also in net/Client (skipper's http client)

@szuecs szuecs added the minor no risk changes, for example new filters label Dec 21, 2023
@lukibahr
Copy link
Author

@szuecs Is there any chance to get this implemented in the next couple of days or weeks? I'm currently not familiar enough with the entire codebase, to get this implemented and propose a MR for this.

Thanks

@szuecs
Copy link
Member

szuecs commented Dec 22, 2023

MR?

I will have holidays until January, so I am not really available next days.
Maybe I can give a bit of context to the code. We implement these kind of features in filters.
Filters are created by an instance of a "spec". You likely want to create a new spec for this similar to the others (share spec with different new kind of "typ").
A filter instance is created by CreateFilter().

The entry point of the code that does the call path to work on the request is https://github.com/zalando/skipper/blob/master/filters/auth/oidc.go#L756.

@AlexanderYastrebov
Copy link
Member

Looks like duplicate of #1952

@lukibahr
Copy link
Author

lukibahr commented Jan 9, 2024

I will have a look into it, after getting familiar with the codebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement minor no risk changes, for example new filters
Projects
None yet
Development

No branches or pull requests

3 participants