Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Storing OAuth token in secrets manager?
See original GitHub issueI’m opening this issue to inquire whether you would be open to merging a PR that implements an option to store the OAuth token in a Secrets Manager (e.g. AWS Secrets Manager, Github Secrets or Terraform Cloud Workspace Variables) instead of the local config. This would facilitate managing OAuth authorization and token creation from a local computer, while making the token seamlessly available to a remote server running email-oauth2-proxy. It would also facilitate persisting the token if the remote server needs to be destroyed and recreated.
As mentioned in a prior issue, I’ve been working on an infrastructure-as-code project which uses Terraform to automatically configure an AWS server running email-oauth2-proxy. I’ve just made a first version of my work public at: michaelstepner/email-oauth2-proxy-aws.
As you might anticipate, the biggest limitation of my automated server configuration is authenticating with the email provider to obtain OAuth tokens. Thanks to your prior work, after creating the lightweight server I’m able to authenticate manually via SSH using --no-gui and --local-server-auth. But I would love to configure a more elegant solution someday.
I wouldn’t ask you to implement this yourself, of course, unless you were interested in doing so.
Implementation
I considered a command-line argument, but I’m currently envisioning a per-account configuration option like token_store below:
[your.office365.address@example.com]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access
redirect_uri = http://localhost
client_id = *** your client id here ***
client_secret = *** your client secret here ***
token_store = aws_secrets_manager
If that configuration option were left unspecified, it would default to local and the behaviour would follow the status quo, storing the token in the config file. This would preserve backward compatibility, and maintain simplicity for the majority of users who are using this software as a local client in their system tray.
Additional configuration required for the secrets manager could either be via environment variables (e.g. credentials for access to the secrets manager) or the configuration file.
Issue Analytics
- State:
- Created a year ago
- Comments:12 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Excellent! Thanks for the work on this - great to see you found an approach with minimal impact to the proxy’s core features. Let me know how you get on; happy to review fully after that with a view to merging.
FYI @simonrob, I have a work-in-progress fork that implements an MVP of this feature, storing tokens in AWS Secrets Manager.
Before opening a PR to propose merging this feature upstream, I plan to:
There’s no need for you to review my work-in-progress, but I wanted to give you and anyone else looking at this issue a heads up! (especially since I see it’s referenced every month or two from other issues)
I’m hoping this implementation is simple enough that it would meet your objectives!
--aws-secrets:aws_secret:It adds new code to
AppConfig._load()andAppConfig.save()to handle the option of loading/saving OAuth tokens from the remote AWS Secrets Manager. Around 40 lines of code total.The only new dependency is
boto3, and it is only loaded if the--aws-secretsargument is specified.