config: support files for shared_secret, client_secret, cookie_secret and signing_key (#3453)

authorize/authorize.go

@@ -103,10 +103,15 @@ func newPolicyEvaluator(opts *config.Options, store *store.Store) (*evaluator.Ev
 		return nil, fmt.Errorf("authorize: invalid authenticate url: %w", err)
 	}
 
+	signingKey, err := opts.GetSigningKey()
+	if err != nil {
+		return nil, fmt.Errorf("authorize: invalid signing key: %w", err)
+	}
+
 	return evaluator.New(ctx, store,
 		evaluator.WithPolicies(opts.GetAllPolicies()),
 		evaluator.WithClientCA(clientCA),
-		evaluator.WithSigningKey(opts.SigningKey),
+		evaluator.WithSigningKey(signingKey),
 		evaluator.WithAuthenticateURL(authenticateURL.String()),
 		evaluator.WithGoogleCloudServerlessAuthenticationServiceAccount(opts.GetGoogleCloudServerlessAuthenticationServiceAccount()),
 		evaluator.WithJWTClaimsHeaders(opts.JWTClaimsHeaders),

authorize/check_response.go

@@ -166,7 +166,11 @@ func (a *Authorize) requireLoginResponse(
 	checkRequestURL.Scheme = "https"
 
 	q.Set(urlutil.QueryRedirectURI, checkRequestURL.String())
-	q.Set(urlutil.QueryIdentityProviderID, opts.GetIdentityProviderForPolicy(request.Policy).GetId())
+	idp, err := opts.GetIdentityProviderForPolicy(request.Policy)
+	if err != nil {
+		return nil, err
+	}
+	q.Set(urlutil.QueryIdentityProviderID, idp.GetId())
 	signinURL.RawQuery = q.Encode()
 	redirectTo := urlutil.NewSignedURL(state.sharedKey, signinURL).String()
 
@@ -210,7 +214,11 @@ func (a *Authorize) requireWebAuthnResponse(
 		q.Set(urlutil.QueryDeviceType, webauthnutil.DefaultDeviceType)
 	}
 	q.Set(urlutil.QueryRedirectURI, checkRequestURL.String())
-	q.Set(urlutil.QueryIdentityProviderID, opts.GetIdentityProviderForPolicy(request.Policy).GetId())
+	idp, err := opts.GetIdentityProviderForPolicy(request.Policy)
+	if err != nil {
+		return nil, err
+	}
+	q.Set(urlutil.QueryIdentityProviderID, idp.GetId())
 	signinURL.RawQuery = q.Encode()
 	redirectTo := urlutil.NewSignedURL(state.sharedKey, signinURL).String()