oidcauthextension - add ability to skip certificate validation on issuer_url matching

[x2dkstev]

1. Skip Certificate validation

   • it would be nice to have this feature as it is available in other auth extensions such as oauth. When testing in lab environment with oidc and self-signed certificates using oidcauthextension is impossible unless I put a cert proxy in between with a custom endpoint

2. Issuer URL

   • i've been in environment where the issuer_url string does not match the issue value in the well-known configuration file. The example below shows how the WebURL uses the fqdn but the issuer uses the hostname. Currently, oidcauthextension requires both values to match in order to work. I am requesting that the dependency for both values to match be removed.

   WebURL: https://myidentity.domain.com

   "issuer": "myidentity",
   "jwks_uri": "https://myidentity.domain.com/api/jwks",
   "token_endpoint": "https://myidentity.domain.com/api/OAuth/Token",
   "grant_types_supported": [
   "client_credentials"
   ],
   "token_endpoint_auth_methods_supported": [
   "client_secret_basic",
   "client_secret_post"
   ],
   "id_token_signing_alg_values_supported": [
   "RS256"
   ]

[mowies]

The OIDC auth extension is part of the collector-contrib repo, so I'll move this issue over there.

[mowies]

pinging the codeowner on this @jpkrohling :)

[github-actions]

Pinging code owners for extension/oidcauth: @jpkrohling. See Adding Labels via Comments if you do not have permissions to add labels yourself. For example, comment '/label priority:p2 -needs-triaged' to set the priority and remove the needs-triaged label.

[andsj073]

We have this issue as well (2), a custom policy (in Azure Entra Id B2C) makes the discovery url different from the returned issuer and so cant be compared for a match.

Would be great with a configurable discovery url separate from the issuer string