Add option to put secret in a file

README.md

@@ -26,6 +26,7 @@ environment variables is used in this image:
 * `OID_DISCOVERY`: OpenID provider well-known discovery URL
 * `OID_CLIENT_ID`: OpenID Client ID
 * `OID_CLIENT_SECRET`: OpenID Client Secret
+* `OID_CLIENT_SECRET_FILE`: File to pull the OpenID Client Secret from (i.e. if you don't want to store it in an environment variable)
 * `OIDC_AUTH_METHOD`: OpenID Connect authentication method (`client_secret_basic` or `client_secret_post`)
 * `OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY`: Enable silent renew of access token (`true` or `false`)
 

nginx/conf/nginx.conf

@@ -12,6 +12,7 @@ env OID_SESSION_NAME;
 env OID_DISCOVERY;
 env OID_CLIENT_ID;
 env OID_CLIENT_SECRET;
+env OID_CLIENT_SECRET_FILE;
 env OID_REDIRECT_PATH;
 env OIDC_AUTH_SCOPE;
 env OIDC_AUTH_METHOD;

nginx/lua/auth.lua

@@ -1,8 +1,24 @@
+if os.getenv("OID_CLIENT_SECRET_FILE") then
+    filename = os.getenv("OID_CLIENT_SECRET_FILE")
+    local f = io.open(filename, "rb")
+    if not f then
+        ngx.status = 500
+        ngx.header.content_type = 'text/html';
+
+        ngx.say("Could not find filename for OID_CLIENT_SECRET_FILE: " .. filename)
+        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+    end
+
+    oid_secret = f.read(f)
+else
+    oid_secret = os.getenv("OID_CLIENT_SECRET")
+end
+
 local opts = {
     redirect_uri_path = os.getenv("OID_REDIRECT_PATH") or "/redirect_uri",
     discovery = os.getenv("OID_DISCOVERY"),
     client_id = os.getenv("OID_CLIENT_ID"),
-    client_secret = os.getenv("OID_CLIENT_SECRET"),
+    client_secret = oid_secret,
     token_endpoint_auth_method = os.getenv("OIDC_AUTH_METHOD") or "client_secret_basic",
     renew_access_token_on_expiry = os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY") ~= "false",
     scope = os.getenv("OIDC_AUTH_SCOPE") or "openid",