Support ACL's when connecting to Redis store.

config-templates/config.php

@@ -1204,9 +1204,18 @@ $config = [
     'store.redis.port' => 6379,
 
     /*
-     * The password to use when connecting to a password-protected Redis instance.
+     * The credentials to use when connecting to Redis.
+     *
+     * If your Redis server is using the legacy password protection (config
+     * directive "requirepass" in redis.conf) then you should only provide
+     * a password.
+     *
+     * If your Redis server is using ACL's (which are recommended as of
+     * Redis 6+) then you should provide both a username and a password.
+     * See https://redis.io/docs/manual/security/acl/
      */
-    'store.redis.password' => null,
+    'store.redis.username' => '',
+    'store.redis.password' => '',
 
     /*
      * The prefix we should use on our Redis datastore.

docs/simplesamlphp-maintenance.md

@@ -161,7 +161,11 @@ The required tables are created automatically. If you are storing data from mult
 
 To store sessions in Redis, set the `store.type` option to `redis`.
 
-By default SimpleSAMLphp will attempt to connect to Redis on the `localhost` at port `6379`. These can be configured via the `store.redis.host` and `store.redis.port` options, respectively. You may also set a key prefix with the `store.redis.prefix` option. For Redis instances that [require authentication](https://redis.io/commands/auth), use the `store.redis.password` option.
+By default SimpleSAMLphp will attempt to connect to Redis on the `localhost` at port `6379`. These can be configured via the `store.redis.host` and `store.redis.port` options, respectively. You may also set a key prefix with the `store.redis.prefix` option.
+
+For Redis instances that [require authentication](https://redis.io/commands/auth):
+* If authentication is managed with the `requirepass` directive (legacy password protection): use the `store.redis.password` option
+* If authentication is managed with [ACL's](https://redis.io/docs/manual/security/acl/) (which are recommended as of Redis 6): use the `store.redis.password` and `store.redis.username` options
 
 ## Metadata storage
 

src/SimpleSAML/Store/RedisStore.php

@@ -39,6 +39,7 @@ class RedisStore implements StoreInterface
             $port = $config->getOptionalInteger('store.redis.port', 6379);
             $prefix = $config->getOptionalString('store.redis.prefix', 'SimpleSAMLphp');
             $password = $config->getOptionalString('store.redis.password', null);
+            $username = $config->getOptionalString('store.redis.username', null);
             $database = $config->getOptionalInteger('store.redis.database', 0);
 
             $redis = new Client(
@@ -47,7 +48,9 @@ class RedisStore implements StoreInterface
                     'host' => $host,
                     'port' => $port,
                     'database' => $database,
-                ] + (!empty($password) ? ['password' => $password] : []),
+                ]
+                + (!empty($password) ? ['password' => $password] : [])
+                + (!empty($username) ? ['username' => $username] : []),
                 [
                     'prefix' => $prefix,
                 ]

tests/src/SimpleSAML/Store/RedisStoreTest.php

@@ -128,6 +128,21 @@ class RedisStoreTest extends TestCase
         $this->assertInstanceOf(Store\RedisStore::class, $this->store);
     }
 
+    /**
+     * @test
+     */
+    public function testRedisInstanceWithPasswordAndUsername(): void
+    {
+        $config = Configuration::loadFromArray([
+            'store.type' => 'redis',
+            'store.redis.prefix' => 'phpunit_',
+            'store.redis.password' => 'password',
+            'store.redis.username' => 'username',
+        ], '[ARRAY]', 'simplesaml');
+
+        $this->assertInstanceOf(Store\RedisStore::class, $this->store);
+    }
+
 
     /**
      * @test