diff --git a/cmd/root.go b/cmd/root.go index 5c4b7f82a57..2ac76a652a5 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -138,6 +138,9 @@ func initConfig() { viper.BindEnv("SYSTEM_SECRET") viper.SetDefault("SYSTEM_SECRET", "") + viper.BindEnv("ROTATED_SYSTEM_SECRET") + viper.SetDefault("ROTATED_SYSTEM_SECRET", "") + viper.BindEnv("CLIENT_SECRET") viper.SetDefault("CLIENT_SECRET", "") diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go index 86bc67c4930..38589583f08 100644 --- a/cmd/server/handler_oauth2_factory.go +++ b/cmd/server/handler_oauth2_factory.go @@ -94,7 +94,7 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider { } var coreStrategy foauth2.CoreStrategy - hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), nil) + hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), c.GetRotatedSystemSecrets()) if c.OAuth2AccessTokenStrategy == "jwt" { kid := uuid.New() if _, err := createOrGetJWK(c, oauth2.OAuth2JWTKeyName, kid, "private"); err != nil { diff --git a/config/config.go b/config/config.go index 766fb20d291..686bee12d03 100644 --- a/config/config.go +++ b/config/config.go @@ -364,7 +364,8 @@ func (c *Config) Context() *Context { Hasher: hasher, FositeStrategy: &foauth2.HMACSHAStrategy{ Enigma: &hmac.HMACStrategy{ - GlobalSecret: c.GetSystemSecret(), + GlobalSecret: c.GetSystemSecret(), + RotatedGlobalSecrets: c.GetRotatedSystemSecrets(), }, AccessTokenLifespan: c.GetAccessTokenLifespan(), AuthorizeCodeLifespan: c.GetAuthCodeLifespan(), @@ -396,6 +397,10 @@ func (c *Config) GetCookieSecret() []byte { } func (c *Config) GetRotatedSystemSecrets() [][]byte { + if len(c.RotatedSystemSecret) == 0 { + return nil + } + return [][]byte{ pkg.HashStringSecret(c.RotatedSystemSecret), } diff --git a/config/config_test.go b/config/config_test.go index 35355d551b9..c8f3f78d163 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -105,6 +105,13 @@ func TestSystemSecret(t *testing.T) { assert.EqualValues(t, c.GetSystemSecret(), c2.GetSystemSecret()) } +func TestRotatedSystemSecrets(t *testing.T) { + c := &Config{RotatedSystemSecret: "foobarbazbarasdfasdffoobarbazbarasdfasdf"} + assert.EqualValues(t, c.GetRotatedSystemSecrets(), c.GetRotatedSystemSecrets()) + c2 := &Config{RotatedSystemSecret: ""} + assert.Nil(t, c2.GetRotatedSystemSecrets()) +} + func TestResolve(t *testing.T) { c := &Config{EndpointURL: "https://localhost:1234"} assert.Equal(t, c.Resolve("foo", "bar").String(), "https://localhost:1234/foo/bar")