Add support for mTLS between proxy and OIDC issuer

[alegacy]

To support operating in environments that enforce/require client TLS certificates it would be helpful to support mTLS configurability between the proxy and the OIDC issuer.

This would involve adding new command line arguments to specify a TLS certificate and private key. For example, something like:

	fs.StringVar(&o.ClientCertKey.CertFile, "oidc-tls-client-cert-file", "", ""+
		"The absolute path to a X.509 client certificate. If provided, HTTPS requests made to the OIDC issue will "+
		"make use of mTLS.  Also requires --oidc-tls-client-key-file.")

	fs.StringVar(&o.ClientCertKey.KeyFile, "oidc-tls-client-key-file", "", ""+
		"The absolute path to a X.509 private key. If provided, HTTPS requests made to the OIDC issue will make use "+
		"of mTLS.  Also requires --oidc-tls-client-cert-file.")

[alegacy]

I'm prepared to submit a PR if you are willing to accept this content.

[mlbiam]

That sounds like a fantastic idea. Would def accept a PR. If you're doing mTLS from the proxy to the API server, which identity gets used? The identity of the mTLS connection or the token in the Authorization header?

[alegacy]

Sorry, maybe I wasn't clear... this would be to enable mTLS between the proxy and the authorization server (i.e., the OIDC issuer). ...not the proxy to the API server. If a client certificate is used on that connection (to the API server) then the API server would look at the identity in the certification rather than the Authorization header.

[mlbiam]

Got it. Still makes sense. PR would be most welcomed.

[alegacy]

Ok, thanks... I'll get it cleaned up and aim to submit next week.