Setting up a OIDC secrets via environment variables

[harnash]

Describe the bug

This is the follow up on #1186. Right now it seems there is no way to properly define Kratos configuration and separate secrets via environment variables. There seems to be mention of env variable SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS however I could not make it work properly using the following variable:

• SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_CLIENT_SECRET

Reproducing the bug

Steps to reproduce the behavior:

1. Create configuration that uses Google as OIDC provider and configure it as described https://www.ory.sh/kratos/docs/guides/sign-in-with-github-google-facebook-linkedin#google ommiting the sensitive fields client_id and client_secrets
2. Try to specify above secrets using environment variables

Server logs

The configuration contains values or keys which are invalid:                                                                                                                                      
selfservice.methods.oidc.config.providers.0.client_secret: <nil>                                                                                                                                  
                                                     ^-- one or more required properties are missing

Expected behavior

To follow best practices it would be really nice to be able to override those variables using environment variables and avoid putting the whole configuration into secret storage.

[aeneasr]

You could try to JSON encode everything below SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS so e.g. SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS=[{"id":""}] but not sure if it works tbh 😅

[harnash]

Nope. It doesn't seem to work.

[aeneasr]

If you want to investigate, the problem is probably somewhere around here: https://github.com/ory/x/blob/master/configx/koanf_env.go

[harnash]

Will take a look. But I think it might need some substantial work to make it happen.

[aeneasr]

Yeah that's quite possible. But it's also possible that it just needs a few lines of code to fix (but quite some time to understand what's going on) :)

[harnash]

Not a huge success ory/x#374 but some progress.

[aeneasr]

Have you tried if ory/x#374 works in Ory Kratos as intended? If so, we can bump ory/x here and the close this :)

[harnash]

Yes it works. However it is far from optimal. It forces anyone to keep the whole SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS serialized as a string which is error prone and hard to manage if one have more than one provider setup (might even hit some limits when this string gets to long). I would keep this open and try to find more manageable solution. What do you think?

[aeneasr]

Ok, sounds good!

[Mautriz]

Hm, am I missing something ? It keeps giving me nil with this env variable set

SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS=[{"id":"google","provider":"google","client_id":"clientid","client_secret":"secret","mapper_url":"file:///etc/config/kratos/oidc.google.jsonnet","scope":["email","profile"],"requested_claims":{"id_token":{"email":{"essential":true},"email_verified":{"essential":true}}}}]

[harnash]

@Mautriz Works just fine in our setup. You are sure this variable is properly escaped? '"' can be tricky in ENV variables/JSON.

[Mautriz]

This is the Environment I use
Maybe I have to replace the " with /" I guess ? I'll try it out as soon as I can

[aeneasr]

I don't think this is released yet which is probably the problem here.