enable to validate by old system secret when setting `ROTATED_SYSTEM_…

…SECRET` Signed-off-by: Shota SAWADA <xiootas@gmail.com>
ory · Dec 27, 2018 · 7ece1fc · 7ece1fc
1 parent e2d6c44
commit 7ece1fc
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -138,6 +138,9 @@ func initConfig() {
 	viper.BindEnv("SYSTEM_SECRET")
 	viper.SetDefault("SYSTEM_SECRET", "")
 
+	viper.BindEnv("ROTATED_SYSTEM_SECRET")
+	viper.SetDefault("ROTATED_SYSTEM_SECRET", "")
+
 	viper.BindEnv("CLIENT_SECRET")
 	viper.SetDefault("CLIENT_SECRET", "")
 

diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
@@ -94,7 +94,7 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 	}
 
 	var coreStrategy foauth2.CoreStrategy
-	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), nil)
+	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), c.GetRotatedSystemSecrets())
 	if c.OAuth2AccessTokenStrategy == "jwt" {
 		kid := uuid.New()
 		if _, err := createOrGetJWK(c, oauth2.OAuth2JWTKeyName, kid, "private"); err != nil {

diff --git a/config/config.go b/config/config.go
@@ -364,7 +364,8 @@ func (c *Config) Context() *Context {
 		Hasher:     hasher,
 		FositeStrategy: &foauth2.HMACSHAStrategy{
 			Enigma: &hmac.HMACStrategy{
-				GlobalSecret: c.GetSystemSecret(),
+				GlobalSecret:         c.GetSystemSecret(),
+				RotatedGlobalSecrets: c.GetRotatedSystemSecrets(),
 			},
 			AccessTokenLifespan:   c.GetAccessTokenLifespan(),
 			AuthorizeCodeLifespan: c.GetAuthCodeLifespan(),