Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support specifying a custom CA #9

Closed
yanniszark opened this issue Dec 6, 2019 · 2 comments · Fixed by #20
Closed

Support specifying a custom CA #9

yanniszark opened this issue Dec 6, 2019 · 2 comments · Fixed by #20
Assignees
@yanniszark
Labels
enhancement New feature or request

Comments

@yanniszark
Copy link
Contributor

There are cases where a user's OIDC Provider is using a self-signed certificate.
In those cases, we want the user to be able to specify the custom CA in the oidc-authservice, so that it will trust it.
@yanniszark yanniszark added the enhancement New feature or request label Dec 6, 2019
@yanniszark yanniszark self-assigned this Dec 6, 2019
@yanniszark yanniszark mentioned this issue Dec 6, 2019
Closed
@hemantha-kumara
Copy link

@yanniszark is there any plan to support this issue? we are facing this issue right now where OIDC provider is using self-signed certs

time="2020-04-17T12:49:23Z" level=error msg="OIDC provider setup failed, retrying in 10 seconds: Get https://apigw.dsml-csfp-2/auth/realms/ccsp-apcore/.well-known/openid-configuration: x509: certificate signed by unknown authority"

@yanniszark
Copy link
Contributor Author

Hi @hemantha-kumara!
We'd like to add this functionality with the CA_BUNDLE envvar, which points to a file where the custom cert is stored.
Implementation should be straightforward, passing the right context into the Provider constructor.
We haven't had the time to implement this yet, however contributions are welcome!

cmurphy added a commit to cmurphy/oidc-authservice that referenced this issue Apr 29, 2020
@cmurphy
Add CA_BUNDLE to auth service server
c59807a 
Without this patch, when connecting to a self-hosted Dex instance that
is providing a self-signed certificate, the auth service fails to start
with the error message:

  OIDC provider setup failed, retrying in 10 seconds: Get https://example-dex:32000/.well-known/openid-configuration: x509: certificate signed by unknown authority

This change adds a CA_BUNDLE environment variable which allows the user
to specify a CA bundle that can validate the OIDC server's certificate,
which will enable the auth service to start and to securely reach the
OIDC provider to authenticate a user.

Fixes arrikto#9
@cmurphy cmurphy mentioned this issue Apr 29, 2020
Merged
cmurphy added a commit to cmurphy/oidc-authservice that referenced this issue May 1, 2020
@cmurphy
Add CA_BUNDLE to auth service server
2d4b0ae 
Without this patch, when connecting to a self-hosted Dex instance that
is providing a self-signed certificate, the auth service fails to start
with the error message:

  OIDC provider setup failed, retrying in 10 seconds: Get https://example-dex:32000/.well-known/openid-configuration: x509: certificate signed by unknown authority

This change adds a CA_BUNDLE environment variable which allows the user
to specify a CA bundle that can validate the OIDC server's certificate,
which will enable the auth service to start and to securely reach the
OIDC provider to authenticate a user.

Fixes arrikto#9
yanniszark pushed a commit that referenced this issue May 2, 2020
@cmurphy @yanniszark
Add CA_BUNDLE to auth service server
2cb5bf6 
Without this patch, when connecting to a self-hosted Dex instance that
is providing a self-signed certificate, the auth service fails to start
with the error message:

  OIDC provider setup failed, retrying in 10 seconds: Get https://example-dex:32000/.well-known/openid-configuration: x509: certificate signed by unknown authority

This change adds a CA_BUNDLE environment variable which allows the user
to specify a CA bundle that can validate the OIDC server's certificate,
which will enable the auth service to start and to securely reach the
OIDC provider to authenticate a user.

Fixes #9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yanniszark yanniszark

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add CA_BUNDLE to auth service server cmurphy/oidc-authservice
2 participants
@yanniszark @hemantha-kumara