Read OpenID credentials from file (#3244)

* feat: read OpenID credentials from file

Signed-off-by: Uwe Jäger <uwe.jaeger@valiton.com>

* feat: allow credentials file and secret in config to keep BC

Signed-off-by: Uwe Jäger <uwe.jaeger@valiton.com>

---------

Signed-off-by: Uwe Jäger <uwe.jaeger@valiton.com>

pkg/api/authn.go

@@ -614,18 +614,19 @@ func getRelyingPartyArgs(cfg *config.Config, provider string, hashKey, encryptKe
 		log.Panic().Err(zerr.ErrOpenIDProviderDoesNotExist).Str("provider", provider).Msg("")
 	}
 
-	clientID := cfg.HTTP.Auth.OpenID.Providers[provider].ClientID
-	clientSecret := cfg.HTTP.Auth.OpenID.Providers[provider].ClientSecret
+	providerConfig := cfg.HTTP.Auth.OpenID.Providers[provider]
+	clientID := providerConfig.ClientID
+	clientSecret := providerConfig.ClientSecret
 
-	scopes := cfg.HTTP.Auth.OpenID.Providers[provider].Scopes
+	scopes := providerConfig.Scopes
 	// openid scope must be the first one in list
 	if !zcommon.Contains(scopes, oidc.ScopeOpenID) && config.IsOpenIDSupported(provider) {
 		scopes = append([]string{oidc.ScopeOpenID}, scopes...)
 	}
 
 	port := cfg.HTTP.Port
-	issuer := cfg.HTTP.Auth.OpenID.Providers[provider].Issuer
-	keyPath := cfg.HTTP.Auth.OpenID.Providers[provider].KeyPath
+	issuer := providerConfig.Issuer
+	keyPath := providerConfig.KeyPath
 	baseURL := net.JoinHostPort(cfg.HTTP.Address, port)
 
 	callback := constants.CallbackBasePath + "/" + provider

pkg/api/config/config.go

@@ -94,13 +94,19 @@ type OpenIDConfig struct {
 	Providers map[string]OpenIDProviderConfig
 }
 
-type OpenIDProviderConfig struct {
-	Name         string
+type OpenIDCredentials struct {
 	ClientID     string
 	ClientSecret string
-	KeyPath      string
-	Issuer       string
-	Scopes       []string
+}
+
+type OpenIDProviderConfig struct {
+	CredentialsFile string
+	Name            string
+	ClientID        string
+	ClientSecret    string
+	KeyPath         string
+	Issuer          string
+	Scopes          []string
 }
 
 type MethodRatelimitConfig struct {