Add option to skip TLS verification in OIDC filter

[bruegth]

In case of an internal OIDC Provider behind envoy, the verification of the certificate may not needed.

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[istio-testing]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bruegth To complete the pull request process, please assign icygalz after the PR has been reviewed. You can assign the PR to them by writing /assign @icygalz in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/istio-ecosystem/authservice/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[bruegth]

@googlebot I fixed it.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[istio-testing]

@bruegth: PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[incfly]

OIDC is built on top of OAuth2 which mandates HTTPS AFAIK https://datatracker.ietf.org/doc/html/rfc6749#section-3.1

Prod environment can have insider compromise and we don't want the employee(or other user account) be transmitted over plain-text either. If public cert is not available to you, you can use your own organization PKI(self signed), and have authservice use plugged root for verification (which makes sense).

[bruegth]

For my use case it makes no sense to put an certificate on the IDP (Keycloak) because I put all components within a single VM and they are all covered by an envoy proxy which terminates the TLS. Also many other OIDC handler supporting an option to skip TLS verification. But I'm fine with your comment and I see I'm not on the RFC side -> so closing this PR...

[incfly]

Also many other OIDC handler supporting an option to skip TLS verification.

Purely curious, any doc/reference of these OIDC handlers?

[bruegth]

Also many other OIDC handler supporting an option to skip TLS verification.

Purely curious, any doc/reference of these OIDC handlers?

e.g. https://github.com/louketo/louketo-proxy/blob/master/config.go#L64