auth_oauth2.jwks_url is always verified

[Thomas-WB]

Describe the bug

When upgrading from 3.12 to 3.13 we discovered that fetching certificates via the configured jwks url is not possible any more. We are using:

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.resource_server_id = account
auth_oauth2.jwks_url = https://172.27.160.1:8443/some-server/rabbit/certs
auth_oauth2.https.peer_verification = verify_none
auth_oauth2.https.fail_if_no_peer_cert = false

Please note, that the server offering the jwks via https is using a self signed certificate and therefore peer_verification was set to none and fail_if_no_peer_cert to false.

Reproduction steps

1. Provide the jwks via a self signed https
2. Configure the auth_oauth2

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.resource_server_id = account
auth_oauth2.jwks_url = https://172.27.160.1:8443/some-server/rabbit/certs
auth_oauth2.https.peer_verification = verify_none
auth_oauth2.https.fail_if_no_peer_cert = false

3. Try connecting using a token as password

Expected behavior

Self signed https for providing the jwks is possible again.

Additional context

Here is my log output:

2024-03-04 10:06:55.025050+00:00 [debug] <0.876.0> OAuth 2 JWT: resolved resource_server_id: '<<"account">>'
2024-03-04 10:06:55.025103+00:00 [debug] <0.876.0> OAuth 2 JWT: signing_key_id : '<<"KeyId">>'
2024-03-04 10:06:55.025181+00:00 [debug] <0.876.0> OAuth 2 JWT: signing key '<<"KeyId">>' not found. Downloading it...
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0> Using oauth_provider {oauth_provider,undefined,undefined,undefined,
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0>                                      "https://172.27.160.1:8443/some-server/rabbit/certs",
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0>                                      [{verify,verify_none},
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0>                                       {cacertfile,[]},
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0>                                       {depth,10},
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0>                                       {crl_check,false},
2024-03-04 10:06:55.025231+00:00 [debug] <0.876.0>                                       {fail_if_no_peer_cert,false}]} from keyconfig
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0> OAuth 2 JWT: downloading keys from "https://172.27.160.1:8443/some-server/rabbit/certs" (TLS options: [{verify,
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                             verify_none},
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                            {cacertfile,
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                             []},
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                            {depth,
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                             10},
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                            {crl_check,
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                             false},
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                            {fail_if_no_peer_cert,
2024-03-04 10:06:55.025397+00:00 [debug] <0.876.0>                                                                                                             false}])
2024-03-04 10:06:55.025898+00:00 [error] <0.876.0> OAuth 2 JWT: failed to download keys: {error,
2024-03-04 10:06:55.025898+00:00 [error] <0.876.0>                                        {failed_connect,
2024-03-04 10:06:55.025898+00:00 [error] <0.876.0>                                         [{to_address,{"172.27.160.1",8443}},
2024-03-04 10:06:55.025898+00:00 [error] <0.876.0>                                          {inet,
2024-03-04 10:06:55.025898+00:00 [error] <0.876.0>                                           [inet],
2024-03-04 10:06:55.025898+00:00 [error] <0.876.0>                                           {options,{cacertfile,[]}}}]}}
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0> Authentication using an OAuth 2/JWT token failed: {error,
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                    {failed_connect,
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                     [{to_address,
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                       {"172.27.160.1",8443}},
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                      {inet,
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                       [inet],
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                       {options,
2024-03-04 10:06:55.026001+00:00 [debug] <0.876.0>                                                        {cacertfile,[]}}}]}}
2024-03-04 10:06:55.026086+00:00 [debug] <0.876.0> User 'guest' failed authentication by backend rabbit_auth_backend_oauth2
2024-03-04 10:06:55.026221+00:00 [debug] <0.876.0> User 'guest' failed authentication by backend rabbit_auth_backend_internal
2024-03-04 10:06:55.026409+00:00 [error] <0.876.0> Error on AMQP connection <0.876.0> (172.17.0.1:34528 -> 172.17.0.4:5672, state: starting):

[michaelklishin]

Duplicate of #10612.