flatcar · moadqassem · Oct 30, 2025 · Oct 30, 2025
@@ -2,12 +2,13 @@ package auth
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"strings"
-
 	"slices"
+	"strings"
+	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/labstack/echo/v4"
@@ -20,6 +21,7 @@ type OIDCAuthConfig struct {
 	AdminRoles    []string
 	ViewerRoles   []string
 	RolesPath     string
+	SkipTLSVerify bool
 }
 
 type oidcAuth struct {
@@ -34,6 +36,21 @@ type oidcAuth struct {
 
 func NewOIDCAuthenticator(config *OIDCAuthConfig) (Authenticator, error) {
 	ctx := context.Background()
+	if config.SkipTLSVerify {
+		transport := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+
+		// --- 2. Create an HTTP client using the custom transport ---
+		client := &http.Client{
+			Transport: transport,
+			Timeout:   10 * time.Second, // Optional: set a timeout
+		}
+
+		ctx = oidc.ClientContext(ctx, client)
+	}
 
 	// setup oidc provider
 	provider, err := oidc.NewProvider(ctx, config.IssuerURL)

@@ -50,6 +50,7 @@ type Config struct {
 	OidcManagementURL string `koanf:"oidc-management-url"`
 	OidcLogoutURL     string `koanf:"oidc-logout-url"`
 	OidcAudience      string `koanf:"oidc-audience"`
+	OidcSkipTLSVerify bool   `koanf:"oidc-skip-tls-verify"`
 }
 
 const (
@@ -122,6 +123,7 @@ func Parse() (*Config, error) {
 	f.String("oidc-viewer-roles", "", "comma-separated list of accepted roles with viewer access")
 	f.String("oidc-roles-path", "roles", "json path in which the roles array is present in the id token")
 	f.String("oidc-scopes", "openid,profile,email", "comma-separated list of scopes to be used in OIDC")
+	f.Bool("oidc-skip-tls-verify", false, "setting InsecureSkipVerify to true disables all certificate validation, including hostname checking. This is useful for testing purposes, but should not be used in production.")
 	f.String("oidc-management-url", "", "OIDC management url for managing the account")
 	f.String("oidc-logout-url", "", "OIDC logout URL (optional fallback when end_session_endpoint is not available in discovery)")
 	f.String("oidc-audience", "", "OIDC audience parameter for the access token")

@@ -193,6 +193,7 @@ func setupAuthenticator(conf config.Config, sessionStore *sessions.Store, defaul
 			AdminRoles:    strings.Split(conf.OidcAdminRoles, ","),
 			ViewerRoles:   strings.Split(conf.OidcViewerRoles, ","),
 			RolesPath:     conf.OidcRolesPath,
+			SkipTLSVerify: conf.OidcSkipTLSVerify,
 		}
 		return auth.NewOIDCAuthenticator(oidcAuthConfig)
 	}

@@ -22,18 +22,19 @@ const (
 var serverPortStr = fmt.Sprintf(":%d", serverPort)
 
 var conf = &config.Config{
-	EnableSyncer:    true,
-	NebraskaURL:     testServerURL,
-	HTTPLog:         true,
-	AuthMode:        "oidc",
-	Debug:           true,
-	ServerPort:      serverPort,
-	OidcClientID:    clientID,
-	OidcIssuerURL:   issuerURL,
-	OidcAdminRoles:  "nebraska-admin",
-	OidcViewerRoles: "nebraska-member",
-	OidcRolesPath:   "groups",
-	OidcScopes:      "openid,profile,email,groups",
+	EnableSyncer:      true,
+	NebraskaURL:       testServerURL,
+	HTTPLog:           true,
+	AuthMode:          "oidc",
+	Debug:             true,
+	ServerPort:        serverPort,
+	OidcClientID:      clientID,
+	OidcIssuerURL:     issuerURL,
+	OidcAdminRoles:    "nebraska-admin",
+	OidcViewerRoles:   "nebraska-member",
+	OidcRolesPath:     "groups",
+	OidcScopes:        "openid,profile,email,groups",
+	OidcSkipTLSVerify: true,
 }
 
 func TestMain(m *testing.M) {

@@ -128,6 +128,9 @@ spec:
               {{- with .Values.config.auth.oidc.scopes }}
             - "-oidc-scopes={{ . }}"
               {{- end }}
+              {{- with .Values.config.auth.oidc.skipTlsVerify }}
+            - "-oidc-skip-tls-verify={{ . }}"
+              {{- end }}
             {{- end }}
 
             {{- /* --- Extra Args --- */ -}}

@@ -58,6 +58,7 @@ config:
       scopes:
       sessionAuthKey:
       sessionCryptKey:
+      skipTlsVerify:
     github:
       clientID:
       clientSecret: