Merge pull request #342 from dimityrmirchev/default-oidc-root-ca

OIDC authenticator defaults to using host's root CA pool if CA file is not provided
brancz · Dec 9, 2024 · 0b6ff42 · 0b6ff42
2 parents 28ede67 + 06bdb53
commit 0b6ff42
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/pkg/authn/oidc.go b/pkg/authn/oidc.go
@@ -38,9 +38,13 @@ var (
 
 // NewOIDCAuthenticator returns OIDC authenticator
 func NewOIDCAuthenticator(ctx context.Context, config *OIDCConfig) (*OIDCAuthenticator, error) {
-	dyCA, err := dynamiccertificates.NewDynamicCAContentFromFile("oidc-ca", config.CAFile)
-	if err != nil {
-		return nil, err
+	var dynamicCA *dynamiccertificates.DynamicFileCAContent
+	if len(config.CAFile) > 0 { // if unset, the OIDC authenticator defaults to host's trust store
+		var err error
+		dynamicCA, err = dynamiccertificates.NewDynamicCAContentFromFile("oidc-ca", config.CAFile)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	tokenAuthenticator, err := oidc.New(ctx, oidc.Options{
@@ -60,15 +64,15 @@ func NewOIDCAuthenticator(ctx context.Context, config *OIDCConfig) (*OIDCAuthent
 				},
 			},
 		},
-		CAContentProvider:    dyCA,
+		CAContentProvider:    dynamicCA,
 		SupportedSigningAlgs: config.SupportedSigningAlgs,
 	})
 	if err != nil {
 		return nil, err
 	}
 
 	return &OIDCAuthenticator{
-		dynamicClientCA:      dyCA,
+		dynamicClientCA:      dynamicCA,
 		requestAuthenticator: bearertoken.New(tokenAuthenticator),
 	}, nil
 }