Replace insecure-oidc flag with the manual oidc config (#2893)

* Replace insecure-oidc flag with the manual oidc config

* Update docs/user/using-an-OIDC-provider.md

Co-authored-by: Michael Nelson <absoludity@gmail.com>

* Update docs/user/using-an-OIDC-provider.md

Co-authored-by: Michael Nelson <absoludity@gmail.com>

Co-authored-by: Michael Nelson <absoludity@gmail.com>

docs/step-by-step/kubeapps-on-tkg/step-2.md

@@ -81,10 +81,15 @@ The first step is to configure the `clusters`, `pinnipedProxy` and `authProxy` p
 
 3. Configure the _OAuth2Proxy_ component by entering the information gathered from the OIDC provider in [Step 1](./step-1.md). This component performs the authentication flow, generating the appropriate request to the login page and retrieving the token in the callback URL. Here is an example. Remember to replace the placeholders as follows:
 
-   - Replace the `OIDC-ISSUER-URL` with the issuer URL of the OIDC provider. For CSP it is `https://console.cloud.vmware.com/csp/gateway/am/api`.
    - Replace `CLIENT-ID` with the application ID obtained from the JSON file in the previous step.
    - Replace `CLIENT-SECRET` with the application secret obtained from the JSON file in the previous step.
-   - Replace `COOKIE-SECRET` with a seed string for secure cookies (should be a 16-, 24-, or 32-byte string).
+   - Replace `COOKIE-SECRET` with a seed string for secure cookies (should be a 16-, 24-, or 32-byte string). Have a look at the [OAuth2Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#generating-a-cookie-secret) for additional information.
+   - Replace the `OIDC-ISSUER-URL` with the issuer URL of the OIDC provider. For CSP it is `https://gaz.csp-vidm-prod.com`.
+   - Replace the `OIDC-LOGIN-URL` with the login URL of the OIDC provider. For CSP it is `https://console.cloud.vmware.com/csp/gateway/discovery`.
+   - Replace the `OIDC-REDEEM-URL` with the token redeem URL of the OIDC provider. For CSP it is `https://console.cloud.vmware.com/csp/gateway/am/api/auth/token`.
+   - Replace the `OIDC-JWKS-URL` with the JSON Web Key Set URL of the OIDC provider. For CSP it is `https://console.cloud.vmware.com/csp/gateway/am/api/auth/token-public-key?format=jwks`.
+
+  > **TIP**: Remember that any OIDC-compliant provider should expose a `.well-known/openid-configuration` ([CSP example](https://console.cloud.vmware.com/csp/gateway/am/api/.well-known/openid-configuration)) where you will able to find the required endpoints in this step.
 
    ```yaml
    authProxy:
@@ -94,13 +99,16 @@ The first step is to configure the `clusters`, `pinnipedProxy` and `authProxy` p
      clientSecret: CLIENT-SECRET
      cookieSecret: COOKIE-SECRET
      additionalFlags:
-       - --oidc-issuer-url=OIDC-ISSUER-URL
        - --scope=openid email groups
        - --set-authorization-header=true
-       # - --insecure-oidc-skip-issuer-verification=true
+       - --skip-oidc-discovery=true
+       - --oidc-issuer-url=OIDC-ISSUER-URL # In CSP: https://gaz.csp-vidm-prod.com
+       - --login-url=OIDC-LOGIN-URL # In CSP: https://console.cloud.vmware.com/csp/gateway/discovery
+       - --redeem-url=OIDC-REDEEM-URL # In CSP: https://console.cloud.vmware.com/csp/gateway/am/api/auth/token
+       - --oidc-jwks-url=OIDC-JWKS-URL # In CSP: https://console.cloud.vmware.com/csp/gateway/am/api/auth/token-public-key?format=jwks
    ```
 
-   > **NOTE**: In some providers whose issuer URL does not match the token URL (such as VMware CSP), the flag `--insecure-oidc-skip-issuer-verification=true` is currently required. Be aware of the security concerns of enabling this flag, which are discussed in the [official OAuth2Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/).
+   > **TIP**: In some providers whose issuer URL does match the token URL, the flag `--skip-oidc-discovery=true` can be removed. Instead, just setting the `oidc-issuer-url` will perform the automatic discovery of the rest of the endpoints. Further information at the [official OAuth2Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/).
 
 At this point, Kubeapps is configured to use Pinniped for authentication.
 

docs/user/using-an-OIDC-provider.md

@@ -80,16 +80,16 @@ Login to VMware Cloud Services and select the organization which you want to use
 
 You will now see a dialog with the app id and secret. Click on the Download JSON option as there is other useful info in the JSON.
 
-Your Kubernetes cluster's API server (or alternatively, your [Pinniped JWTAuthenticator](./using-an-OIDC-provider-with-pinniped.md)) will need to be configured with the following options (the staging VMware cloud services issuer URL is used in the example below):
-
-```json
-    kind: ClusterConfiguration
-    apiServer:
-      extraArgs:
-        oidc-issuer-url: https://gaz-preview.csp-vidm-prod.com
-        oidc-client-id: <your client id from above>
-        oidc-username-claim: email
-        oidc-groups-claim: group_names
+Your Kubernetes cluster's API server (or alternatively, your [Pinniped JWTAuthenticator](./using-an-OIDC-provider-with-pinniped.md)) will need to be configured with the following options (the prodcution VMware cloud services issuer URL is used in the example below):
+
+```yaml
+kind: ClusterConfiguration
+apiServer:
+  extraArgs:
+    oidc-issuer-url: https://gaz.csp-vidm-prod.com # the staging endpoint is 'https://gaz-preview.csp-vidm-prod.com'
+    oidc-client-id: <your client id from above>
+    oidc-username-claim: email
+    oidc-groups-claim: group_names
 ```
 
 Once your cluster is running, you can then deploy Kubeapps with the following additional values:
@@ -102,14 +102,20 @@ authProxy:
   clientSecret: <your app secret>
   cookieSecret: <your random seed string for secure cookies>
   additionalFlags:
-    # For staging VMware Cloud Services issuer url is https://console-stg.cloud.vmware.com/csp/gateway/am/api
-    # For production, use https://console.cloud.vmware.com/csp/gateway/am/api
-    - --oidc-issuer-url=https://console-stg.cloud.vmware.com/csp/gateway/am/api
+    # VMware Cloud Services has different endpoints for production and staging:
+    # To use the staging endpoints, replace:
+    # 'gaz.csp-vidm-prod.com' with 'gaz-preview.csp-vidm-prod.com'
+    # 'console.cloud.vmware.com' with 'console-stg.cloud.vmware.com/'
     - --scope=openid email group_names
-    - --insecure-oidc-skip-issuer-verification
+    - --skip-oidc-discovery=true
+    - --oidc-issuer-url=https://gaz.csp-vidm-prod.com
+    - --login-url=https://console.cloud.vmware.com/csp/gateway/discovery
+    - --redeem-url=https://console.cloud.vmware.com/csp/gateway/am/api/auth/token
+    - --oidc-jwks-url=https://console.cloud.vmware.com/csp/gateway/am/api/auth/token-public-key?format=jwks
 ```
 
-Note: VMware Cloud Services has an issuer URL specific to organizations which is required for the Kubeapps auth proxy configuration above, but if you check the [`.well-known/openid-configuration`](https://console-stg.cloud.vmware.com/csp/gateway/am/api/.well-known/openid-configuration) you will see that it identifies a different (parent) issuer, `https://gaz-preview.csp-vidm-prod.com`. It is for this reason that the `--insecure-oidc-skip-issuer-verification` option is required above. For the same reason, the OIDC `id_token`s that are minted specify the parent issuer as well, which is why the Kubernetes API server config above uses that.
+Note: VMware Cloud Services has an issuer URL specific to organizations which is required for the Kubeapps auth proxy configuration above, but if you check the [`.well-known/openid-configuration`](https://console-stg.cloud.vmware.com/csp/gateway/am/api/.well-known/openid-configuration) you will see that it identifies a different (parent) issuer, `https://gaz.csp-vidm-prod.com`.
+It is for this reason that the `--skip-oidc-discovery=true` option is required above and we need to manually set each `oidc-issuer`, `login-url`, `redeem-url` and `oidc-jwks-url` instead of relying on the automatic discovery.
 
 Once deployed, if you experience issues logging in, please refer to the [Debugging auth failures when using OIDC](#debugging-auth-failures-when-using-oidc) section below.