fix: address comments

kanikabansal-juspay · kanikabansal-juspay · commit 388afdcc56e6 · 2025-12-09T14:33:35.000+05:30
diff --git a/config/deployments/production.toml b/config/deployments/production.toml
@@ -208,19 +208,6 @@ base_url = "https://live.hyperswitch.io"
 force_two_factor_auth = true
 force_cookies = false
 
-[oidc.key.k1]
-kid = ""
-private_key = ""
-
-[oidc.key.k2]
-kid = ""
-private_key = ""
-
-[oidc.client.c1]
-client_id = ""
-client_secret = ""
-redirect_uri = ""
-
 [frm]
 enabled = false
 
diff --git a/crates/api_models/src/oidc.rs b/crates/api_models/src/oidc.rs
@@ -1,6 +1,7 @@
 use std::str::FromStr;
 
 use common_utils::{events::ApiEventMetric, pii};
+use masking::Secret;
 use serde::{Deserialize, Serialize};
 use utoipa::ToSchema;
 
@@ -23,56 +24,58 @@ const CLAIMS_SUPPORTED: &[Claim] = &[
 ];
 
 /// OIDC Response Type
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum ResponseType {
     Code,
 }
 
 /// OIDC Response Mode
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum ResponseMode {
     Query,
 }
 
 /// OIDC Subject Type
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum SubjectType {
     Public,
 }
 
 /// OIDC Signing Algorithm
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub enum SigningAlgorithm {
     #[serde(rename = "RS256")]
     Rs256,
 }
 
 /// JWK Key Type
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub enum KeyType {
     #[serde(rename = "RSA")]
     Rsa,
 }
 
 /// JWK Key Use
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum KeyUse {
     Sig,
 }
 
 /// OIDC Grant Type
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum GrantType {
     AuthorizationCode,
 }
 
 /// OIDC Scope
-#[derive(Clone, Debug, PartialEq, serde::Serialize, serde::Deserialize, strum::EnumString)]
+#[derive(
+    Copy, Clone, Debug, PartialEq, serde::Serialize, serde::Deserialize, strum::EnumString,
+)]
 #[serde(rename_all = "snake_case")]
 #[strum(serialize_all = "snake_case")]
 pub enum Scope {
@@ -81,14 +84,14 @@ pub enum Scope {
 }
 
 /// OIDC Token Endpoint Authentication Method
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum TokenAuthMethod {
     ClientSecretBasic,
 }
 
 /// OIDC Claim
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "snake_case")]
 pub enum Claim {
     Aud,
@@ -101,7 +104,7 @@ pub enum Claim {
 }
 
 /// OIDC Authorization Error as per RFC 6749
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, strum::Display)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize, strum::Display)]
 #[serde(rename_all = "snake_case")]
 #[strum(serialize_all = "snake_case")]
 pub enum OidcAuthorizationError {
@@ -115,7 +118,7 @@ pub enum OidcAuthorizationError {
 }
 
 /// OIDC Token Error as per RFC 6749
-#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, strum::Display)]
+#[derive(Copy, Clone, Debug, serde::Serialize, serde::Deserialize, strum::Display)]
 #[serde(rename_all = "snake_case")]
 #[strum(serialize_all = "snake_case")]
 pub enum OidcTokenError {
@@ -320,7 +323,8 @@ pub struct OidcTokenRequest {
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct OidcTokenResponse {
     /// ID Token value associated with the authenticated session
-    pub id_token: String,
+    #[schema(value_type = String)]
+    pub id_token: Secret<String>,
 
     /// OAuth 2.0 Token Type value
     #[schema(example = "Bearer")]
@@ -331,9 +335,38 @@ pub struct OidcTokenResponse {
     pub expires_in: u64,
 }
 
-impl ApiEventMetric for OidcDiscoveryResponse {}
-impl ApiEventMetric for JwksResponse {}
-impl ApiEventMetric for OidcAuthorizeQuery {}
-impl ApiEventMetric for AuthCodeData {}
-impl ApiEventMetric for OidcTokenRequest {}
-impl ApiEventMetric for OidcTokenResponse {}
+impl ApiEventMetric for OidcDiscoveryResponse {
+    fn get_api_event_type(&self) -> Option<common_utils::events::ApiEventsType> {
+        Some(common_utils::events::ApiEventsType::Oidc)
+    }
+}
+
+impl ApiEventMetric for JwksResponse {
+    fn get_api_event_type(&self) -> Option<common_utils::events::ApiEventsType> {
+        Some(common_utils::events::ApiEventsType::Oidc)
+    }
+}
+
+impl ApiEventMetric for OidcAuthorizeQuery {
+    fn get_api_event_type(&self) -> Option<common_utils::events::ApiEventsType> {
+        Some(common_utils::events::ApiEventsType::Oidc)
+    }
+}
+
+impl ApiEventMetric for AuthCodeData {
+    fn get_api_event_type(&self) -> Option<common_utils::events::ApiEventsType> {
+        Some(common_utils::events::ApiEventsType::Oidc)
+    }
+}
+
+impl ApiEventMetric for OidcTokenRequest {
+    fn get_api_event_type(&self) -> Option<common_utils::events::ApiEventsType> {
+        Some(common_utils::events::ApiEventsType::Oidc)
+    }
+}
+
+impl ApiEventMetric for OidcTokenResponse {
+    fn get_api_event_type(&self) -> Option<common_utils::events::ApiEventsType> {
+        Some(common_utils::events::ApiEventsType::Oidc)
+    }
+}
diff --git a/crates/common_utils/src/events.rs b/crates/common_utils/src/events.rs
@@ -140,6 +140,7 @@ pub enum ApiEventsType {
     },
     ThreeDsDecisionRule,
     Chat,
+    Oidc,
 }
 
 impl ApiEventMetric for serde_json::Value {}
diff --git a/crates/hyperswitch_domain_models/src/errors/api_error_response.rs b/crates/hyperswitch_domain_models/src/errors/api_error_response.rs
@@ -7,7 +7,7 @@ use http::StatusCode;
 
 use crate::router_data;
 
-#[derive(Clone, Debug, serde::Serialize)]
+#[derive(Copy, Clone, Debug, serde::Serialize)]
 #[serde(rename_all = "snake_case")]
 pub enum ErrorType {
     InvalidRequestError,
@@ -227,11 +227,6 @@ pub enum ApiErrorResponse {
         message = "Access forbidden, invalid JWT token was used"
     )]
     InvalidJwtToken,
-    #[error(
-        error_type = ErrorType::InvalidRequestError, code = "IR_17_1",
-        message = "Access forbidden, invalid Basic authentication credentials"
-    )]
-    InvalidBasicAuth,
     #[error(
         error_type = ErrorType::InvalidRequestError, code = "IR_18",
         message = "{message}",
@@ -315,12 +310,17 @@ pub enum ApiErrorResponse {
     ConnectedAccountAuthNotSupported,
     #[error(error_type = ErrorType::InvalidRequestError, code = "IR_50", message = "Invalid connected account operation")]
     InvalidConnectedOperation,
-    #[error(error_type = ErrorType::InvalidRequestError, code = "IR_48", message = "{error}: {description}")]
+    #[error(
+        error_type = ErrorType::InvalidRequestError, code = "IR_51",
+        message = "Access forbidden, invalid Basic authentication credentials"
+    )]
+    InvalidBasicAuth,
+    #[error(error_type = ErrorType::InvalidRequestError, code = "IR_52", message = "{error}: {description}")]
     OidcAuthorizationError {
         error: OidcAuthorizationError,
         description: String,
     },
-    #[error(error_type = ErrorType::InvalidRequestError, code = "IR_49", message = "{error}: {description}")]
+    #[error(error_type = ErrorType::InvalidRequestError, code = "IR_53", message = "{error}: {description}")]
     OidcTokenError {
         error: OidcTokenError,
         description: String,
@@ -616,7 +616,7 @@ impl ErrorSwitch<api_models::errors::types::ApiErrorResponse> for ApiErrorRespon
                 AER::BadRequest(ApiError::new("IR", 16, message.to_string(), None))
             }
             Self::InvalidJwtToken => AER::Unauthorized(ApiError::new("IR", 17, "Access forbidden, invalid JWT token was used", None)),
-            Self::InvalidBasicAuth => AER::Unauthorized(ApiError::new("IR", 171, "Access forbidden, invalid Basic authentication credentials", None)),
+            Self::InvalidBasicAuth => AER::Unauthorized(ApiError::new("IR", 51, "Access forbidden, invalid Basic authentication credentials", None)),
             Self::GenericUnauthorized { message } => {
                 AER::Unauthorized(ApiError::new("IR", 18, message.to_string(), None))
             },
@@ -750,10 +750,10 @@ impl ErrorSwitch<api_models::errors::types::ApiErrorResponse> for ApiErrorRespon
                 AER::BadRequest(ApiError::new("CE", 9, format!("Subscription operation: {operation} failed with connector"), None))
             }
             Self::OidcAuthorizationError { error, description } => {
-                AER::BadRequest(ApiError::new("IR", 48, format!("{}: {}", error, description), None))
+                AER::BadRequest(ApiError::new("IR", 52, format!("{}: {}", error, description), None))
             }
             Self::OidcTokenError { error, description } => {
-                AER::BadRequest(ApiError::new("IR", 49, format!("{}: {}", error, description), None))
+                AER::BadRequest(ApiError::new("IR", 53, format!("{}: {}", error, description), None))
             }
         }
     }
diff --git a/crates/router/src/configs/secrets_transformers.rs b/crates/router/src/configs/secrets_transformers.rs
@@ -351,6 +351,50 @@ impl SecretsHandler for settings::NetworkTokenizationService {
     }
 }
 
+#[async_trait::async_trait]
+impl SecretsHandler for settings::OidcSettings {
+    async fn convert_to_raw_secret(
+        value: SecretStateContainer<Self, SecuredSecret>,
+        secret_management_client: &dyn SecretManagementInterface,
+    ) -> CustomResult<SecretStateContainer<Self, RawSecret>, SecretsManagementError> {
+        let oidc_settings = value.get_inner();
+
+        let mut decrypted_keys = std::collections::HashMap::new();
+        for (key_id, oidc_key) in &oidc_settings.key {
+            let private_key = secret_management_client
+                .get_secret(oidc_key.private_key.clone())
+                .await?;
+            decrypted_keys.insert(
+                key_id.clone(),
+                settings::OidcKey {
+                    kid: oidc_key.kid.clone(),
+                    private_key,
+                },
+            );
+        }
+
+        let mut decrypted_clients = std::collections::HashMap::new();
+        for (client_key, oidc_client) in &oidc_settings.client {
+            let client_secret = secret_management_client
+                .get_secret(oidc_client.client_secret.clone())
+                .await?;
+            decrypted_clients.insert(
+                client_key.clone(),
+                settings::OidcClient {
+                    client_id: oidc_client.client_id.clone(),
+                    client_secret,
+                    redirect_uri: oidc_client.redirect_uri.clone(),
+                },
+            );
+        }
+
+        Ok(value.transition_state(|_| Self {
+            key: decrypted_keys,
+            client: decrypted_clients,
+        }))
+    }
+}
+
 /// # Panics
 ///
 /// Will panic even if kms decryption fails for at least one field
@@ -487,6 +531,11 @@ pub(crate) async fn fetch_raw_secrets(
         .await
         .expect("Failed to decrypt superposition config");
 
+    #[allow(clippy::expect_used)]
+    let oidc = settings::OidcSettings::convert_to_raw_secret(conf.oidc, secret_management_client)
+        .await
+        .expect("Failed to decrypt oidc configs");
+
     Settings {
         server: conf.server,
         chat,
@@ -524,7 +573,7 @@ pub(crate) async fn fetch_raw_secrets(
         #[cfg(feature = "email")]
         email: conf.email,
         user: conf.user,
-        oidc: conf.oidc,
+        oidc,
         mandates: conf.mandates,
         zero_mandates: conf.zero_mandates,
         network_transaction_id_supported_connectors: conf
diff --git a/crates/router/src/configs/settings.rs b/crates/router/src/configs/settings.rs
@@ -107,7 +107,7 @@ pub struct Settings<S: SecretState> {
     #[cfg(feature = "email")]
     pub email: EmailSettings,
     pub user: UserSettings,
-    pub oidc: OidcSettings,
+    pub oidc: SecretStateContainer<OidcSettings, S>,
     pub crm: CrmManagerConfig,
     pub cors: CorsSettings,
     pub mandates: Mandates,
diff --git a/crates/router/src/services/authentication.rs b/crates/router/src/services/authentication.rs
@@ -442,6 +442,7 @@ impl BasicAuthProvider for OidcAuthProvider {
         let client = session
             .conf
             .oidc
+            .get_inner()
             .get_client(identifier)
             .ok_or(errors::ApiErrorResponse::InvalidBasicAuth)?;
 
diff --git a/crates/router/src/services/oidc_provider.rs b/crates/router/src/services/oidc_provider.rs
@@ -43,7 +43,7 @@ static CACHED_JWKS: OnceCell<JwksResponse> = OnceCell::new();
 /// Build JWKS response with public keys (all keys for token validation)
 pub async fn get_jwks(state: SessionState) -> RouterResponse<JwksResponse> {
     let jwks_response = CACHED_JWKS.get_or_try_init(|| {
-        let oidc_keys = state.conf.oidc.get_all_keys();
+        let oidc_keys = state.conf.oidc.get_inner().get_all_keys();
         let mut keys = Vec::new();
 
         for key_config in oidc_keys {
@@ -97,6 +97,7 @@ pub fn validate_authorize_params(
     let client = state
         .conf
         .oidc
+        .get_inner()
         .get_client(&payload.client_id)
         .ok_or_else(|| {
             report!(ApiErrorResponse::OidcAuthorizationError {
@@ -248,6 +249,7 @@ fn validate_token_request(
     let registered_client = state
         .conf
         .oidc
+        .get_inner()
         .get_client(request_client_id)
         .ok_or_else(|| {
             report!(ApiErrorResponse::OidcTokenError {
@@ -335,10 +337,15 @@ async fn generate_id_token(
     state: &SessionState,
     auth_code_data: &AuthCodeData,
 ) -> error_stack::Result<String, ApiErrorResponse> {
-    let signing_key = state.conf.oidc.get_signing_key().ok_or_else(|| {
-        report!(ApiErrorResponse::InternalServerError)
-            .attach_printable("No signing key configured for OIDC")
-    })?;
+    let signing_key = state
+        .conf
+        .oidc
+        .get_inner()
+        .get_signing_key()
+        .ok_or_else(|| {
+            report!(ApiErrorResponse::InternalServerError)
+                .attach_printable("No signing key configured for OIDC")
+        })?;
 
     let now = SystemTime::now()
         .duration_since(UNIX_EPOCH)
@@ -407,7 +414,7 @@ pub async fn process_token_request(
     let id_token = generate_id_token(&state, &auth_code_data).await?;
 
     Ok(ApplicationResponse::Json(OidcTokenResponse {
-        id_token,
+        id_token: id_token.into(),
         token_type: TOKEN_TYPE_BEARER.to_string(),
         expires_in: ID_TOKEN_TTL_IN_SECS,
     }))

Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,7 @@ pub enum ApiEventsType {`
`140`	`140`	`},`
`141`	`141`	`ThreeDsDecisionRule,`
`142`	`142`	`Chat,`
	`143`	`+ Oidc,`
`143`	`144`	`}`
`144`	`145`
`145`	`146`	`impl ApiEventMetric for serde_json::Value {}`