diff --git a/Dockerfile b/Dockerfile index 80fe861c..47011c5e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-alpine as builder +FROM golang:1.23-alpine as builder # Setup RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth diff --git a/README.md b/README.md index 90b7497f..0d77a09f 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,7 @@ You must set: You can also set: - `providers.generic-oauth.scope`- Any scopes that should be included in the request (default: profile, email) - `providers.generic-oauth.token-style` - How token is presented when querying the User URL. Can be `header` or `query`, defaults to `header`. With `header` the token is provided in an Authorization header, with query the token is provided in the `access_token` query string value. +- `providers.generic-oauth.skip-verify-tls` Skips the TLS certificate verificatio when making requests to the authentication service. Please see the [Provider Setup](https://github.com/thomseddon/traefik-forward-auth/wiki/Provider-Setup) wiki page for examples. diff --git a/internal/provider/generic_oauth.go b/internal/provider/generic_oauth.go index a6bba510..fc633a50 100644 --- a/internal/provider/generic_oauth.go +++ b/internal/provider/generic_oauth.go @@ -2,6 +2,7 @@ package provider import ( "context" + "crypto/tls" "encoding/json" "errors" "fmt" @@ -12,15 +13,17 @@ import ( // GenericOAuth provider type GenericOAuth struct { - AuthURL string `long:"auth-url" env:"AUTH_URL" description:"Auth/Login URL"` - TokenURL string `long:"token-url" env:"TOKEN_URL" description:"Token URL"` - UserURL string `long:"user-url" env:"USER_URL" description:"URL used to retrieve user info"` - ClientID string `long:"client-id" env:"CLIENT_ID" description:"Client ID"` - ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"` - Scopes []string `long:"scope" env:"SCOPE" env-delim:"," default:"profile" default:"email" description:"Scopes"` - TokenStyle string `long:"token-style" env:"TOKEN_STYLE" default:"header" choice:"header" choice:"query" description:"How token is presented when querying the User URL"` + AuthURL string `long:"auth-url" env:"AUTH_URL" description:"Auth/Login URL"` + TokenURL string `long:"token-url" env:"TOKEN_URL" description:"Token URL"` + UserURL string `long:"user-url" env:"USER_URL" description:"URL used to retrieve user info"` + ClientID string `long:"client-id" env:"CLIENT_ID" description:"Client ID"` + ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"` + Scopes []string `long:"scope" env:"SCOPE" env-delim:"," default:"profile" default:"email" description:"Scopes"` + TokenStyle string `long:"token-style" env:"TOKEN_STYLE" default:"header" choice:"header" choice:"query" description:"How token is presented when querying the User URL"` + SkipVerifyTLS bool `long:"skip-verify-tls" env:"SKIP_VERIFY_TLS" description:"Skip TLS certificate verification"` OAuthProvider + httpClient *http.Client } // Name returns the name of the provider @@ -48,6 +51,19 @@ func (o *GenericOAuth) Setup() error { o.ctx = context.Background() + // Create custom HTTP client with TLS config + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: o.SkipVerifyTLS}, + } + o.httpClient = &http.Client{Transport: tr} + + // Create a context with the custom HTTP client + ctx := context.WithValue(o.ctx, oauth2.HTTPClient, o.httpClient) + o.ctx = ctx + + // Remove this line + // o.Config.HTTPClient = o.httpClient + return nil } @@ -83,8 +99,7 @@ func (o *GenericOAuth) GetUser(token string) (User, error) { req.URL.RawQuery = q.Encode() } - client := &http.Client{} - res, err := client.Do(req) + res, err := o.httpClient.Do(req) if err != nil { return user, err }