adding config option to skip tls verify for OpenID provider (#147)

README.md

@@ -76,6 +76,7 @@ GLOBAL OPTIONS:
    --tls-ca-key value                  the path the ca private key, used by the forward signing proxy
    --tls-client-certificate value      the path to the client certificate, used to outbound connections in reverse and forwarding proxy modes
    --skip-upstream-tls-verify          whether to skip the verification of any upstream TLS (defaults to true)
+   --skip-openid-provider-tls-verify   whether to skip the verification of any TLS communication with the openid provider (defaults to false)
    --match-claims value                keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*
    --add-claims value                  retrieve extra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name
    --resource value                    a list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'
@@ -468,4 +469,3 @@ You can control the upstream endpoint via the --upstream-url option. Both http a
 #### **Metrics**
 
 Assuming the --enable-metrics has been set, a prometheus endpoint can be found on /oauth/metrics
-

cli.go

@@ -261,6 +261,10 @@ func getCLIOptions() []cli.Flag {
 			Name:  "skip-upstream-tls-verify",
 			Usage: "whether to skip the verification of any upstream TLS (defaults to true)",
 		},
+		cli.BoolTFlag{
+			Name:  "skip-openid-provider-tls-verify",
+			Usage: "whether to skip the verification of any TLS communication with the openid provider (defaults to false)",
+		},
 		cli.StringSliceFlag{
 			Name:  "match-claims",
 			Usage: "keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*",
@@ -374,6 +378,9 @@ func parseCLIOptions(cx *cli.Context, config *Config) (err error) {
 	if cx.IsSet("skip-upstream-tls-verify") {
 		config.SkipUpstreamTLSVerify = cx.Bool("skip-upstream-tls-verify")
 	}
+	if cx.IsSet("skip-openid-provider-tls-verify") {
+		config.SkipOpenIDProviderTLSVerify = cx.Bool("skip-openid-provider-tls-verify")
+	}
 	if cx.IsSet("encryption-key") {
 		config.EncryptionKey = cx.String("encryption-key")
 	}

config.go

@@ -27,17 +27,18 @@ import (
 // newDefaultConfig returns a initialized config
 func newDefaultConfig() *Config {
 	return &Config{
-		TagData:                   make(map[string]string, 0),
-		MatchClaims:               make(map[string]string, 0),
-		Headers:                   make(map[string]string, 0),
-		UpstreamTimeout:           time.Duration(10) * time.Second,
-		UpstreamKeepaliveTimeout:  time.Duration(10) * time.Second,
-		EnableAuthorizationHeader: true,
-		CookieAccessName:          "kc-access",
-		CookieRefreshName:         "kc-state",
-		SecureCookie:              true,
-		SkipUpstreamTLSVerify:     true,
-		CrossOrigin:               CORS{},
+		TagData:                     make(map[string]string, 0),
+		MatchClaims:                 make(map[string]string, 0),
+		Headers:                     make(map[string]string, 0),
+		UpstreamTimeout:             time.Duration(10) * time.Second,
+		UpstreamKeepaliveTimeout:    time.Duration(10) * time.Second,
+		EnableAuthorizationHeader:   true,
+		CookieAccessName:            "kc-access",
+		CookieRefreshName:           "kc-state",
+		SecureCookie:                true,
+		SkipUpstreamTLSVerify:       true,
+		SkipOpenIDProviderTLSVerify: false,
+		CrossOrigin:                 CORS{},
 	}
 }
 

doc.go

@@ -115,6 +115,8 @@ type Config struct {
 	RedirectionURL string `json:"redirection-url" yaml:"redirection-url"`
 	// RevocationEndpoint is the token revocation endpoint to revoke refresh tokens
 	RevocationEndpoint string `json:"revocation-url" yaml:"revocation-url"`
+	// SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication
+	SkipOpenIDProviderTLSVerify bool `json:"skip-openid-provider-tls-verify" yaml:"skip-openid-provider-tls-verify"`
 	// Scopes is a list of scope we should request
 	Scopes []string `json:"scopes" yaml:"scopes"`
 	// Upstream is the upstream endpoint i.e whom were proxying to

utils.go

@@ -162,10 +162,22 @@ func createOpenIDClient(cfg *Config) (*oidc.Client, oidc.ProviderConfig, error)
 	if strings.HasSuffix(cfg.DiscoveryURL, "/.well-known/openid-configuration") {
 		cfg.DiscoveryURL = strings.TrimSuffix(cfg.DiscoveryURL, "/.well-known/openid-configuration")
 	}
+	// initalize http client
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: cfg.SkipOpenIDProviderTLSVerify,
+		},
+	}
+	providerHttpClient := &http.Client{
+		Transport: tr,
+		Timeout:   time.Second * 10,
+	}
+
 	// step: attempt to retrieve the provider configuration
 	for i := 0; i < 3; i++ {
 		log.Infof("attempting to retrieve the openid configuration from the discovery url: %s", cfg.DiscoveryURL)
-		providerConfig, err = oidc.FetchProviderConfig(http.DefaultClient, cfg.DiscoveryURL)
+
+		providerConfig, err = oidc.FetchProviderConfig(providerHttpClient, cfg.DiscoveryURL)
 		if err == nil {
 			goto GOT_CONFIG
 		}
@@ -184,9 +196,7 @@ GOT_CONFIG:
 		},
 		RedirectURL: fmt.Sprintf("%s/oauth/callback", cfg.RedirectionURL),
 		Scope:       append(cfg.Scopes, oidc.DefaultScope...),
-		HTTPClient: &http.Client{
-			Timeout: time.Second * 10,
-		},
+		HTTPClient:  providerHttpClient,
 	})
 	if err != nil {
 		return nil, oidc.ProviderConfig{}, err