#54: First draft for custom root CAs. Untested WIP.

config.go

@@ -2,6 +2,8 @@ package traefik_oidc_auth
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"net/http"
 	"net/url"
@@ -61,6 +63,9 @@ type ProviderConfig struct {
 	Url    string `json:"url"`
 	UrlEnv string `json:"url_env"`
 
+	InsecureSkipVerify    bool   `json:"insecure_skip_verify"`
+	CACertificateFilePath string `json:"ca_certificate_file_path"`
+
 	ClientId        string `json:"client_id"`
 	ClientIdEnv     string `json:"client_id_env"`
 	ClientSecret    string `json:"client_secret"`
@@ -213,9 +218,41 @@ func New(uctx context.Context, next http.Handler, config *Config, name string) (
 	log(config.LogLevel, LogLevelDebug, "Scopes: %s", strings.Join(config.Scopes, ", "))
 	log(config.LogLevel, LogLevelDebug, "SessionCookie: %v", config.SessionCookie)
 
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	if config.Provider.CACertificateFilePath != "" {
+		certs, err := os.ReadFile(config.Provider.CACertificateFilePath)
+		if err != nil {
+			log(config.LogLevel, LogLevelInfo, "Failed to load CA certificate from %v: %v", config.Provider.CACertificateFilePath, err)
+			return nil, err
+		}
+
+		// Append our cert to the system pool
+		if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+			log(config.LogLevel, LogLevelWarn, "Failed to append CA certificate. Using system certificates only.")
+		}
+	}
+
+	httpTransport := &http.Transport{
+		// MaxIdleConns:    10,
+		// IdleConnTimeout: 30 * time.Second,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: config.Provider.InsecureSkipVerify,
+			RootCAs:            rootCAs,
+		},
+	}
+
+	httpClient := &http.Client{
+		Transport: httpTransport,
+	}
+
 	log(config.LogLevel, LogLevelInfo, "Configuration loaded successfully, starting OIDC Auth middleware...")
 	return &TraefikOidcAuth{
 		next:           next,
+		httpClient:     httpClient,
 		ProviderURL:    parsedURL,
 		CallbackURL:    parsedCallbackURL,
 		Config:         config,

jwks.go

@@ -70,14 +70,14 @@ func (h *JwksHandler) EnsureLoaded(oidcAuth *TraefikOidcAuth, forceReload bool)
 	if reload {
 		log(oidcAuth.Config.LogLevel, LogLevelInfo, "Reloading JWKS...")
 
-		return h.loadKeys()
+		return h.loadKeys(oidcAuth.httpClient)
 	}
 
 	return nil
 }
 
-func (h *JwksHandler) loadKeys() error {
-	resp, err := http.Get(h.Url)
+func (h *JwksHandler) loadKeys(httpClient *http.Client) error {
+	resp, err := httpClient.Get(h.Url)
 
 	if err != nil {
 		return err

main.go

@@ -17,6 +17,7 @@ import (
 
 type TraefikOidcAuth struct {
 	next              http.Handler
+	httpClient        *http.Client
 	ProviderURL       *url.URL
 	CallbackURL       *url.URL
 	Config            *Config
@@ -40,7 +41,7 @@ func (toa *TraefikOidcAuth) EnsureOidcDiscovery() error {
 			toa.Jwks = jwks
 			log(config.LogLevel, LogLevelInfo, "Getting OIDC discovery document...")
 
-			oidcDiscoveryDocument, err := GetOidcDiscovery(config.LogLevel, parsedURL)
+			oidcDiscoveryDocument, err := GetOidcDiscovery(config.LogLevel, toa.httpClient, parsedURL)
 			if err != nil {
 				log(config.LogLevel, LogLevelError, "Error while retrieving discovery document: %s", err.Error())
 				return err

oidc.go

@@ -113,7 +113,7 @@ type OidcState struct {
 	RedirectUrl string `json:"redirect_url"`
 }
 
-func GetOidcDiscovery(logLevel string, providerUrl *url.URL) (*OidcDiscovery, error) {
+func GetOidcDiscovery(logLevel string, httpClient *http.Client, providerUrl *url.URL) (*OidcDiscovery, error) {
 	wellKnownUrl := *providerUrl
 
 	wellKnownUrl.Path = path.Join(wellKnownUrl.Path, ".well-known/openid-configuration")
@@ -128,7 +128,7 @@ func GetOidcDiscovery(logLevel string, providerUrl *url.URL) (*OidcDiscovery, er
 	// client := &http.Client{Transport: tr}
 
 	// Make HTTP GET request to the OpenID provider's discovery endpoint
-	resp, err := http.Get(wellKnownUrl.String())
+	resp, err := httpClient.Get(wellKnownUrl.String())
 
 	if err != nil {
 		log(logLevel, LogLevelError, "http-get discovery endpoints - Err: %s", err.Error())
@@ -193,7 +193,7 @@ func exchangeAuthCode(oidcAuth *TraefikOidcAuth, req *http.Request, authCode str
 		urlValues.Add("code_verifier", codeVerifier)
 	}
 
-	resp, err := http.PostForm(oidcAuth.DiscoveryDocument.TokenEndpoint, urlValues)
+	resp, err := oidcAuth.httpClient.PostForm(oidcAuth.DiscoveryDocument.TokenEndpoint, urlValues)
 
 	if err != nil {
 		log(oidcAuth.Config.LogLevel, LogLevelError, "Sending AuthorizationCode in POST: %s", err.Error())
@@ -257,8 +257,6 @@ func (toa *TraefikOidcAuth) validateTokenLocally(tokenString string) (bool, map[
 }
 
 func (toa *TraefikOidcAuth) introspectToken(token string) (bool, map[string]interface{}, error) {
-	client := &http.Client{}
-
 	data := url.Values{
 		"token": {token},
 	}
@@ -284,7 +282,7 @@ func (toa *TraefikOidcAuth) introspectToken(token string) (bool, map[string]inte
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth(toa.Config.Provider.ClientId, toa.Config.Provider.ClientSecret)
 
-	resp, err := client.Do(req)
+	resp, err := toa.httpClient.Do(req)
 	if err != nil {
 		log(toa.Config.LogLevel, LogLevelError, "Error on introspection request: %s", err.Error())
 		return false, nil, err
@@ -322,7 +320,7 @@ func (toa *TraefikOidcAuth) renewToken(refreshToken string) (*OidcTokenResponse,
 		urlValues.Add("client_secret", toa.Config.Provider.ClientSecret)
 	}
 
-	resp, err := http.PostForm(toa.DiscoveryDocument.TokenEndpoint, urlValues)
+	resp, err := toa.httpClient.PostForm(toa.DiscoveryDocument.TokenEndpoint, urlValues)
 
 	if err != nil {
 		log(toa.Config.LogLevel, LogLevelError, "Sending token renewal request in POST: %s", err.Error())