From 8a99a3ed231fdcd8467e986182b4705342b6a15e Mon Sep 17 00:00:00 2001
From: Andrei Aaron <aaaron@luxoft.com>
Date: Thu, 22 May 2025 19:08:28 +0300
Subject: [PATCH] Merge commit from fork

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
---
 pkg/api/config/config.go | 32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/pkg/api/config/config.go b/pkg/api/config/config.go
index 39f86639..d0d40c45 100644
--- a/pkg/api/config/config.go
+++ b/pkg/api/config/config.go
@@ -331,14 +331,36 @@ func (c *Config) Sanitize() *Config {
 		panic(err)
 	}
 
-	if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.bindPassword != "" {
-		sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
+	// Sanitize HTTP config
+	if c.HTTP.Auth != nil {
+		// Sanitize LDAP bind password
+		if c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.bindPassword != "" {
+			sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
 
-		if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
-			panic(err)
+			if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
+				panic(err)
+			}
+
+			sanitizedConfig.HTTP.Auth.LDAP.bindPassword = "******"
 		}
 
-		sanitizedConfig.HTTP.Auth.LDAP.bindPassword = "******"
+		// Sanitize OpenID client secrets
+		if c.HTTP.Auth.OpenID != nil {
+			sanitizedConfig.HTTP.Auth.OpenID = &OpenIDConfig{
+				Providers: make(map[string]OpenIDProviderConfig),
+			}
+
+			for provider, config := range c.HTTP.Auth.OpenID.Providers {
+				sanitizedConfig.HTTP.Auth.OpenID.Providers[provider] = OpenIDProviderConfig{
+					Name:         config.Name,
+					ClientID:     config.ClientID,
+					ClientSecret: "******",
+					KeyPath:      config.KeyPath,
+					Issuer:       config.Issuer,
+					Scopes:       config.Scopes,
+				}
+			}
+		}
 	}
 
 	if c.IsEventRecorderEnabled() {