Skip to content

Enable TLS certificate verification for OIDC IdP upstream connections. #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2025
Merged

Enable TLS certificate verification for OIDC IdP upstream connections. #118

merged 1 commit into from
Nov 13, 2025

Conversation

@route443
Copy link
Contributor

@route443 route443 commented Nov 11, 2025

Updates openid_connect.server_conf to enforce secure TLS settings on all IdP-bound requests (/_token, /_refresh, /_jwks_uri). This adds:

  • proxy_ssl_verify on to enforce verification of the OP’s TLS certificate.
  • proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt to use the system (Debian/Ubuntu/Alpine) CA bundle for trust.
  • proxy_ssl_verify_depth 2 to allow certificate chains up to one intermediate CA.

Address issue #116

@route443
Enable TLS certificate verification for OIDC IdP upstream connections.
636cd86 
Updates `openid_connect.server_conf` to enforce secure TLS settings on all IdP-bound requests (`/_token`, `/_refresh`, `/_jwks_uri`). This adds:
- `proxy_ssl_verify on` to enforce verification of the OP’s TLS certificate.
- `proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt` to use the system (Debian/Ubuntu/Alpine) CA bundle for trust.
- `proxy_ssl_verify_depth 2` to allow certificate chains up to one intermediate CA.
pdabelf5
pdabelf5 reviewed Nov 12, 2025
View reviewed changes
@route443 route443 merged commit c866e23 into main Nov 13, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pdabelf5 pdabelf5 pdabelf5 approved these changes

@danielnginx danielnginx Awaiting requested review from danielnginx

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@route443 @pdabelf5