Does the oauthOidcAllClaims filter provide the possibility to lookup sensitive data from Kubernetes Secrets

[lukibahr]

Hi folks,

we have several RouteGroups with the oauthOidcAllClaims filter set.

oauthOidcAllClaims("https://oidc-provider.example.com", "client_id", "client_secret",
    "http://target.example.com/subpath/callback", "email profile", "name email picture",
    "parameter=value", "X-Auth-Authorization:claims.email")

Is it possible or do you know a way on how to lookup the "client_secret" value from another source, like a kubernetes secret? Or is there a recommended way on how to handle these resources especially when dealing with GitOps?

Thanks and kind regards,

Lukas

[szuecs]

@lukibahr That would be a feature to support which makes a lot of sense!
In skipper we would use read from file via our secrets module.

[lukibahr]

@szuecs Is there a reference implementation already in skipper where we use the secrets module?

[szuecs]

In many auth filters it is in use or also in net/Client (skipper's http client)

[lukibahr]

@szuecs Is there any chance to get this implemented in the next couple of days or weeks? I'm currently not familiar enough with the entire codebase, to get this implemented and propose a MR for this.

Thanks

[szuecs]

MR?

I will have holidays until January, so I am not really available next days.
Maybe I can give a bit of context to the code. We implement these kind of features in filters.
Filters are created by an instance of a "spec". You likely want to create a new spec for this similar to the others (share spec with different new kind of "typ").
A filter instance is created by CreateFilter().

The entry point of the code that does the call path to work on the request is https://github.com/zalando/skipper/blob/master/filters/auth/oidc.go#L756.

[AlexanderYastrebov]

Looks like duplicate of #1952

[lukibahr]

I will have a look into it, after getting familiar with the codebase.