Read OpenID credentials from file (#3244)

* feat: read OpenID credentials from file

Signed-off-by: Uwe Jäger <uwe.jaeger@valiton.com>

* feat: allow credentials file and secret in config to keep BC

Signed-off-by: Uwe Jäger <uwe.jaeger@valiton.com>

---------

Signed-off-by: Uwe Jäger <uwe.jaeger@valiton.com>

pkg/cli/server/root.go

@@ -863,6 +863,12 @@ func LoadConfiguration(config *config.Config, configPath string) error {
 		return err
 	}
 
+	if err := updateOpenIDConfig(config); err != nil {
+		log.Error().Err(err).Msg("failed to read openid provider config file(s)")
+
+		return err
+	}
+
 	if err := loadSessionKeys(config); err != nil {
 		log.Error().Err(err).Msg("failed to read sessionKeysFile")
 
@@ -926,6 +932,32 @@ func updateLDAPConfig(conf *config.Config) error {
 	return nil
 }
 
+func updateOpenIDConfig(conf *config.Config) error {
+	if conf.HTTP.Auth == nil || conf.HTTP.Auth.OpenID == nil {
+		return nil
+	}
+
+	for name, provider := range conf.HTTP.Auth.OpenID.Providers {
+		if provider.CredentialsFile != "" {
+			var newOpenIDCredentials config.OpenIDCredentials
+
+			if err := readSecretFile(provider.CredentialsFile, &newOpenIDCredentials, true); err != nil {
+				return err
+			}
+
+			provider.ClientID = newOpenIDCredentials.ClientID
+			provider.ClientSecret = newOpenIDCredentials.ClientSecret
+
+			conf.HTTP.Auth.OpenID.Providers[name] = provider
+		} else {
+			log.Warn().Str("provider", name).
+				Msg("deprecated: use the new OpenID provider credentialsfile instead of clientid and clientsecret.")
+		}
+	}
+
+	return nil
+}
+
 func readSecretFile(path string, v any, checkUnsetFields bool) error { //nolint: varnamelen
 	viperInstance := viper.NewWithOptions(viper.KeyDelimiter("::"))