CA Configuration

[cstack89]

I'm trying to use the new OIDC connector to connect with my Keycloak installation. I'm receiving this error from the pod (I'm using Kubernetes) x509: certificate signed by unknown authority. I assume it does not like my cert. Is there a way I can pass in a CA for it to use?

[cstack89]

I'm not familiar with go, so before I try to create a pull request let me run this by you.

It looks like it's pretty easy to append a certificate to the system pool, so we would just need an additional optional arg for a CA pem file. I'm just looking at the first example here https://forfuncsake.github.io/post/2017/08/trust-extra-ca-cert-in-go-app/

I then think in oidc.go, I'd have to tweak how the oauth2 config is created to use the new cert pool. Something like this? https://github.com/golang/oauth2/issues/187

Let me know what you think.

[thomseddon]

Only just looking at this, but I'm definitely 👍 for this - the feature makes sense and the proposed solution looks ideal

[erikespinoza]

try adding the following.

  environment:
    - "SSL_CERT_FILE=/config/ca.pem"
  volumes:
    - "/path/to/ca.pem:/config/ca.pem:ro"

[highkay]

This feature is useful in a intranet when you have not got a valid ca of the idp(keycloak).