Skip to content

Add OIDC authentication support to the Doppler provider#157

Open
coetzeevs wants to merge 7 commits into
DopplerHQ:masterfrom
coetzeevs:coetzeevs/oidc-auth-support
Open

Add OIDC authentication support to the Doppler provider#157
coetzeevs wants to merge 7 commits into
DopplerHQ:masterfrom
coetzeevs:coetzeevs/oidc-auth-support

Conversation

@coetzeevs
Copy link
Copy Markdown

@coetzeevs coetzeevs commented Feb 23, 2026

Summary

Adds OpenID Connect (OIDC) authentication as a new provider authentication method, enabling keyless authentication from CI/CD platforms (GitHub Actions, GitLab CI, etc.) and Kubernetes workloads that issue OIDC tokens.

Changes

  • API client (doppler/api.go): Add exchangeOIDCToken function that exchanges an OIDC JWT for a Doppler API token via the /v3/auth/oidc endpoint, with TLS 1.2 minimum, 30s timeout, and 1MB response size limit
  • Provider configuration (doppler/provider.go): Add three new optional attributes:
    • oidc_identity — UUID of the Doppler service account identity (DOPPLER_OIDC_IDENTITY)
    • oidc_token — JWT token directly (DOPPLER_OIDC_TOKEN)
    • oidc_token_file — path to a file containing a JWT (DOPPLER_OIDC_TOKEN_FILE)
  • Validation & security hardening (doppler/provider.go):
    • Mutual exclusivity between doppler_token and OIDC auth, and between oidc_token / oidc_token_file
    • Client-side UUID validation for oidc_identity
    • JWT structure check (3 dot-separated parts)
    • Absolute path requirement for oidc_token_file, with empty-file check
    • oidc_token marked Sensitive: true to prevent plan output leakage
    • Warnings for non-HTTPS hosts and disabled TLS verification
    • doppler_token changed from Required to Optional
  • Documentation (templates/index.md.tmpl, docs/index.md): Document both OIDC authentication options with usage examples
  • Example (examples/main.tf): Add commented-out OIDC provider configuration examples

Usage

# Using a token file (e.g. Kubernetes projected service account token)
provider "doppler" {
  oidc_identity   = "<YOUR SERVICE ACCOUNT IDENTITY UUID>"
  oidc_token_file = "/var/run/secrets/tokens/doppler"
}

# Or using a token directly
provider "doppler" {
  oidc_identity = "<YOUR SERVICE ACCOUNT IDENTITY UUID>"
  oidc_token    = "<YOUR OIDC JWT>"
}

Test plan

  • make build compiles successfully
  • make test passes
  • make tfdocs produces docs consistent with templates (hash unchanged)
  • No semgrep-prohibited patterns (exec.Command, ioutil.WriteFile)

coetzeevs and others added 7 commits February 23, 2026 09:37
@coetzeevs
Add OIDC token exchange function to API client
0ecf458 
Add exchangeOIDCToken() standalone function that exchanges an OIDC JWT
for a short-lived Doppler API token via POST /v3/auth/oidc. This is an
unauthenticated endpoint - the JWT itself serves as the credential.

The function reuses existing HTTP, TLS, and error handling patterns
from the API client. It is not yet called by any code path.
@coetzeevs
Add OIDC authentication support to provider
5ec80ce 
Add oidc_identity, oidc_token, and oidc_token_file as alternative
authentication fields to the provider schema. Change doppler_token
from Required to Optional.

The provider now accepts either a static doppler_token OR an OIDC
identity + JWT. When OIDC fields are provided, the provider exchanges
the JWT for a short-lived Doppler API token at configure time via
POST /v3/auth/oidc, then uses it identically to a static token.

Validation ensures mutual exclusivity between the two auth methods
and that all required OIDC fields are present when OIDC is used.
@coetzeevs
Update docs for OIDC authentication
0d913ac 
Update the provider documentation template and regenerated docs to
describe both authentication methods: static token and OIDC. The
schema section now shows all fields as Optional with the new OIDC
fields included.
@coetzeevs
Add client-side UUID validation for oidc_identity
921e2de 
The Doppler API requires oidc_identity to be a valid UUID. This adds
client-side validation with a clear error message before making the
API call, and updates field descriptions, docs, and examples to
reflect the UUID requirement.
@coetzeevs
Harden OIDC authentication against security review findings
5c50167 
MEDIUM fixes:
- Pass context.Context through exchangeOIDCToken and use
  http.NewRequestWithContext for cancellation support
- Bound OIDC response body read to 1MB via io.LimitReader,
  migrate from deprecated ioutil.ReadAll to io.ReadAll
- Reject non-absolute paths for oidc_token_file

LOW fixes:
- Sanitize file-read error messages to avoid OS error leakage
- Emit warning when verify_tls=false is used with OIDC auth
- Emit warning when host does not use HTTPS with OIDC auth
- Validate JWT has 3 dot-separated parts before transmission
@coetzeevs
Add oidc_token inline option to docs and examples
684b931 
Show both oidc_token_file and oidc_token variants in the provider
documentation and example configuration so users are aware of both
OIDC authentication options.
@coetzeevs
Merge branch 'master' into coetzeevs/oidc-auth-support
f7c3abe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@coetzeevs