Certificate signed by unknown authority

[arun-a-nayagam]

I use oauth_client_credentials to specify the token endpoint, client id and secret. I see this error,

│ Error: Post "https://token.com/auth/oauth/v2/token": x509: certificate signed by unknown authority
│
│   with restapi_object.acp_scripted_silver,
│   on account_plans.tf line 4, in resource "restapi_object" "acp_scripted_silver":
│    4: resource "restapi_object" "acp_scripted_silver" {
│

Is there a way to pass a flag like, --insecure-skip-tls-verify?

I did try setting insecure = true at the provider level. Still throws the same error.

provider "restapi" {
  alias                = "restapi_oauth"
  uri                  = "https://portal.com/portal"
  debug                = true
  write_returns_object = true
  insecure             = true

  oauth_client_credentials {
    oauth_client_id      = "client_id"
    oauth_client_secret  = "client_secret"
    oauth_token_endpoint = "https://token.com/auth/oauth/v2/token"
    oauth_scopes         = ["scope"]
  }
}

[DRuggeri]

Hi, @arun-a-nayagam - this may be possible and falls in line with the insecure flag... but I do not see a clear way in the oauth client to do this. I welcome research or suggestions, but the package documentation is pretty slim. It may be more straight forward to add the issuer to the system trust store in this case?

[yoshigev]

Hi @DRuggeri, just came across this same issue.

I'm not an expert on go lang, but I see that there is a way to configure it in the oauth client library using a context. It was proposed in this bug: https://github.com/golang/oauth2/issues/187 (and some usage example here).

I see that you already create an HTTP client, both for the insecure flag and for other features (proxy, cookie jar, etc.). Maybe this same HTTP client can be used for the context of oauth2.

[orgads]

With the help of @yoshigev, pushed #234.

[DRuggeri]

That turned out to be a nice and clean fix! I am releasing a new version now including the change.