gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Option to set value of clientId via secret

Open denniskniep opened this issue 10 months ago • 4 comments

OIDC defines clientId as string. In our use case the clientId and clientSecret are specified as pair in a secret.

Can we extend the spec by property ClientIdRef of type SecretObjectReference, so that it will resolve the ClientId by looking into the specified secret? This new property would be optional. So that the user can decide if he wants to set ClientId directly or wants to have its value resolved from a secret.

denniskniep avatar Jan 26 '25 17:01 denniskniep

will it be better to define a bool field that says clientIdInSecret ?

arkodg avatar Jan 28 '25 00:01 arkodg

The same issue arises for the jwt provider audiences. It would be nice if there we could pass SecretObjectReference[] as well instead of only string[].

consooo avatar Jan 28 '25 11:01 consooo

Using ClientIdRef follows more the standard approach, see here:

  • BackendTLSConfig.clientCertificateRef
  • APIKeyAuth.credentialRefs
  • ClientValidationContext.caCertificateRefs
  • ExtensionTLS.certificateRef
  • etc.

and it is more flexible, what do you think?

As a proposal:

JWTProvider

  • audiences string array
  • audienceRefs SecretObjectReference array

Union all audiences from audiences and audienceRefs

OIDC

  • clientID string
  • clientIDRef SecretObjectReference

if clientID and clientIDRef are specified, then flag it with a bad status Accepted=False

denniskniep avatar Jan 31 '25 20:01 denniskniep

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Mar 03 '25 00:03 github-actions[bot]

Hi @arkodg, as I gather this is still a proposal, not introduced in any version yet? If yes, is there an ETA for this change?

HannaManista avatar Jul 01 '25 07:07 HannaManista

The same issue arises for the jwt provider audiences. It would be nice if there we could pass SecretObjectReference[] as well instead of only string[].

Hi @consooo would you mind opening a separate issue to track the jwt audiences? I'd be helpful if you could include some background - like why these values are considered sensitive and need to be in a secret.

zhaohuabing avatar Jul 08 '25 02:07 zhaohuabing

OIDC

clientID string clientIDRef SecretObjectReference

I've gone ahead with this proposal. We can use a CEL rule to ensure that only one of clientID and clientIDRef is specified.

zhaohuabing avatar Jul 08 '25 02:07 zhaohuabing