Merge pull request #1056 from sealor/add_exec_support_to_OIDCClientSe…

…cret

config.c: Add exec support to OIDCClientSecret

AUTHORS

@@ -88,3 +88,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	Quentin Gillet <[email protected]>
 	Brent van Laere <[email protected]>
 	Mads Freek Petersen <https://github.com/madsfreek>
+	Stefan Richter <https://github.com/sealor>

ChangeLog

@@ -1,3 +1,6 @@
+05/05/2023
+- add exec support to OIDCClientSecret
+
 05/04/2023
 - cater for libapr/libapr-util version 1.2.x
 - bump to 2.4.14rc13

auth_openidc.conf

@@ -248,7 +248,10 @@
 # Only used for a single static provider has been configured, see below in OpenID Connect Provider.
 # Client secret used in calls to the statically configured OpenID Connect Provider.
 # (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token")
-#OIDCClientSecret <client_secret>
+# If the value begins with exec: the resulting command will be executed and the
+# first line returned to standard output by the program will be used as the
+# secret. The command may be absolute or relative to the web server root.
+#OIDCClientSecret [ <client_secret> | "exec:/path/to/otherProgram argument1" ]
 
 # Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the
 # token endpoint of the OAuth 2.0 Authorization server.

src/config.c

@@ -3259,7 +3259,7 @@ const command_rec oidc_config_cmds[] = {
 				RSRC_CONF,
 				"Client identifier used in calls to OpenID Connect OP."),
 		AP_INIT_TAKE1(OIDCClientSecret,
-				oidc_set_string_slot,
+				oidc_set_passphrase_slot,
 				(void*)APR_OFFSETOF(oidc_cfg, provider.client_secret),
 				RSRC_CONF,
 				"Client secret used in calls to OpenID Connect OP."),