Request to Azure AD's open-id config occasionally fails

[weeco]

Hello, I'm facing an issue with the initial HTTP request to the openid-configuration endpoint when calling provider, err := oidc.NewProvider(ctx, issuerUrl.String()). Every now and then this returns an error (not only on my machine):

Get \"https://login.microsoftonline.com/4587692a-68d4-4984-98ad-redacted/v2.0/.well-known/openid-configuration\": read tcp 192.168.1.101:53336->40.126.31.72:443: read: connection reset by peer"

I redacted the UUID. To me this looks like a network issue, possibly Azure's firewall. I'm bringing it up here, to see if someone else has faced a similar issue. A curl to that URL has never failed once (from the same machine that faced the above error). It seems this is only happening if I pass a custom http client with a TLSClientConfig set, basically:

        tlsCfg, err := tlscfg.New(
            tlscfg.MaybeWithDiskCA(cfg.IssuerTLS.CaFilepath, tlscfg.ForClient),
            tlscfg.MaybeWithDiskKeyPair(cfg.IssuerTLS.CertFilepath, cfg.IssuerTLS.KeyFilepath),
            tlscfg.WithSystemCertPool(),
        )
        if err != nil {
            return nil, fmt.Errorf("failed to create tls config from files: %w", err)
        }
        httpCl := &http.Client{
            Transport: &http.Transport{
                TLSClientConfig: tlsCfg,
            },
        }
        ctx = oidc.ClientContext(context.Background(), httpCl)
        provider, err := oidc.NewProvider(ctx, issuerUrl.String())

I'm using go-oidc v3.4.0, Go 1.19.3.

[ericchiang]

Get \"https://login.microsoftonline.com/4587692a-68d4-4984-98ad-redacted/v2.0/.well-known/openid-configuration\": read tcp 192.168.1.101:53336->40.126.31.72:443: read: connection reset by peer"

go-oidc uses the standard Go networking client. As you said it's likely an Azure firewall issue or something with your TLS config :)

Going to close since there's not much to do on the go-oidc side