option for skipping OAuth provider SSL verification

Author: jehiah

README.md

@@ -200,6 +200,7 @@ Usage of oauth2_proxy:
   -signature-key="": GAP-Signature request signature key (algorithm:secretkey)
   -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
   -skip-provider-button=false: will skip sign-in-page to directly reach the next step: oauth/start
+  -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS
   -tls-cert="": path to certificate file
   -tls-key="": path to private key file
   -upstream=: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path

contrib/oauth2_proxy.cfg.example

@@ -54,6 +54,10 @@
 ## optional directory with custom sign_in.html and error.html
 # custom_templates_dir = ""
 
+## skip SSL checking for HTTPS requests
+# ssl_insecure_skip_verify = false
+
+
 ## Cookie Settings
 ## Name     - the cookie name
 ## Secret   - the seed string for secure cookies; should be 16, 24, or 32 bytes

main.go

@@ -38,6 +38,7 @@ func main() {
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
 	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
 	flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")
+	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
 
 	flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")

options.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto"
+	"crypto/tls"
 	"encoding/base64"
 	"fmt"
 	"net/http"
@@ -47,14 +48,15 @@ type Options struct {
 	CookieSecure   bool          `flag:"cookie-secure" cfg:"cookie_secure"`
 	CookieHttpOnly bool          `flag:"cookie-httponly" cfg:"cookie_httponly"`
 
-	Upstreams          []string `flag:"upstream" cfg:"upstreams"`
-	SkipAuthRegex      []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
-	PassBasicAuth      bool     `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
-	BasicAuthPassword  string   `flag:"basic-auth-password" cfg:"basic_auth_password"`
-	PassAccessToken    bool     `flag:"pass-access-token" cfg:"pass_access_token"`
-	PassHostHeader     bool     `flag:"pass-host-header" cfg:"pass_host_header"`
-	SkipProviderButton bool     `flag:"skip-provider-button" cfg:"skip_provider_button"`
-	PassUserHeaders    bool     `flag:"pass-user-headers" cfg:"pass_user_headers"`
+	Upstreams             []string `flag:"upstream" cfg:"upstreams"`
+	SkipAuthRegex         []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
+	PassBasicAuth         bool     `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
+	BasicAuthPassword     string   `flag:"basic-auth-password" cfg:"basic_auth_password"`
+	PassAccessToken       bool     `flag:"pass-access-token" cfg:"pass_access_token"`
+	PassHostHeader        bool     `flag:"pass-host-header" cfg:"pass_host_header"`
+	SkipProviderButton    bool     `flag:"skip-provider-button" cfg:"skip_provider_button"`
+	PassUserHeaders       bool     `flag:"pass-user-headers" cfg:"pass_user_headers"`
+	SSLInsecureSkipVerify bool     `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify"`
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
@@ -99,7 +101,6 @@ func NewOptions() *Options {
 		PassUserHeaders:     true,
 		PassAccessToken:     false,
 		PassHostHeader:      true,
-		SkipProviderButton:  false,
 		ApprovalPrompt:      "force",
 		RequestLogging:      true,
 	}
@@ -205,6 +206,13 @@ func (o *Options) Validate() error {
 	msgs = parseSignatureKey(o, msgs)
 	msgs = validateCookieName(o, msgs)
 
+	if o.SSLInsecureSkipVerify {
+		insecureTransport := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		http.DefaultClient = &http.Client{Transport: insecureTransport}
+	}
+
 	if len(msgs) != 0 {
 		return fmt.Errorf("Invalid configuration:\n  %s",
 			strings.Join(msgs, "\n  "))