Closed bruegth closed 3 years ago
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.
. If the bot doesn't comment, it means it doesn't think anything has changed.
ℹ️ Googlers: Go here for more info.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: bruegth
To complete the pull request process, please assign icygalz after the PR has been reviewed.
You can assign the PR to them by writing /assign @icygalz
in a comment when ready.
The full list of commands accepted by this bot can be found here.
@googlebot I fixed it.
@bruegth: PR needs rebase.
OIDC is built on top of OAuth2 which mandates HTTPS AFAIK https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
Prod environment can have insider compromise and we don't want the employee(or other user account) be transmitted over plain-text either. If public cert is not available to you, you can use your own organization PKI(self signed), and have authservice use plugged root for verification (which makes sense).
For my use case it makes no sense to put an certificate on the IDP (Keycloak) because I put all components within a single VM and they are all covered by an envoy proxy which terminates the TLS. Also many other OIDC handler supporting an option to skip TLS verification. But I'm fine with your comment and I see I'm not on the RFC side -> so closing this PR...
Also many other OIDC handler supporting an option to skip TLS verification.
Purely curious, any doc/reference of these OIDC handlers?
Also many other OIDC handler supporting an option to skip TLS verification.
Purely curious, any doc/reference of these OIDC handlers?
e.g. https://github.com/louketo/louketo-proxy/blob/master/config.go#L64
In case of an internal OIDC Provider behind envoy, the verification of the certificate may not needed.