Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom CA for OIDC connection #18002

Closed
rvansa opened this issue Jun 18, 2021 · 2 comments · Fixed by #18012
Closed

Custom CA for OIDC connection #18002

rvansa opened this issue Jun 18, 2021 · 2 comments · Fixed by #18012
Assignees
@sberyozkin
Labels
area/kubernetes area/oidc kind/enhancement New feature or request
Milestone
2.1.1.Final

Comments

@rvansa
Copy link
Contributor

rvansa commented Jun 18, 2021

Description

When the connection to OIDC auth server is encrypted using TLS the certificate must be trusted by the system, or we have to disable verification completely using quarkus.oidc.tls.verification=none.
This is inconvenient when the certificate is provided in Openshift by Service CA that gets mounted as a configmap - the certificate mounted into the image cannot be made trusted system-wide (without elevated privileges) but we cannot set it in Quarkus, neither as PEM certificate nor as a Java Keystore.
In addition to that mutual TLS is not possible at all because we cannot set client certificate.

Implementation ideas

We should follow the same approach as with Resteasy client; properties like quarkus.oidc.tls.trustStore should be added.
@rvansa rvansa added the kind/enhancement New feature or request label Jun 18, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Jun 18, 2021

/cc @geoand, @pedroigor, @sberyozkin

@sberyozkin sberyozkin self-assigned this Jun 18, 2021
@sberyozkin sberyozkin mentioned this issue Jun 18, 2021
Merged
@famod
Copy link
Member

famod commented Jun 24, 2021

+1, including the client cert part. @sberyozkin
are you going to address that as well in the linked PR (or in a subsequent one) or should we better create yet another issue?

@quarkus-bot quarkus-bot bot added this to the 2.2 - main milestone Jul 26, 2021
@gsmet gsmet modified the milestones: 2.2 - main, 2.1.1.Final Aug 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/kubernetes area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.1.1.Final
Development

Successfully merging a pull request may close this issue.

TrustStore support for OIDC and OIDCClient sberyozkin/quarkus
4 participants
@sberyozkin @gsmet @rvansa @famod