Skip to content

Using self-signed certificate in OIDC fails x509 to get UserInfo #79

Open
@miro-grapeup

Description

@miro-grapeup

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

3.1.0

Storage Type

In-memory

Installation Type

Other (specify below)

Expected Behavior

This issue is related to dex used internally in Concourse.
Expected behavior is that you can login into Concourse with OIDC and self-signed certificate with skipSslValidation set to true.

Actual Behavior

Issue occurs in Concourse version 7.8.0 and higher (where new flag was introduced: CONCOURSE_OIDC_DISABLE_GET_USER_INFO).
This flag by default is set to false (DisableGetUserInfo is set to false) which means it will try to get UserInfo. But it fails when self-signed cert is used, as in the image below:
concourse_error_oidc

Steps To Reproduce

  1. Configure concourse with OIDC: skipSslValidation set to true and disableGetUserInfo set to false.
  2. Try to login
  3. You get an error about self-signed x509 certificate

Additional Information

This is probably caused by missed one line where http.Request context is used instead of the context with local httpClient:
https://github.com/concourse/dex/blob/v0.8.0/connector/oidc/oidc.go#L295

I am not sure if this should be reported in concourse repository as well.

Configuration

No response

Logs

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions