From 2095d6961db2d12533ef4db2d9ee1017b77e46a1 Mon Sep 17 00:00:00 2001
From: Severin Leonhardt <serviushack@gmx.de>
Date: Mon, 13 Nov 2023 20:06:13 +0100
Subject: [PATCH 1/2] Fix inverted logic of OIDC_TLS_VERIFY

When OIDC_TLS_VERIFY was set to the string "true" this was converted
to the boolean `true` by `strToBool`. This resulted in `skipTLSVerify`
also returning `true`. Thus verification was actually skipped.

Fixed this inverted logic bug.
---
 pkg/client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/client.go b/pkg/client.go
index 8fc2c0c..cb6d9de 100644
--- a/pkg/client.go
+++ b/pkg/client.go
@@ -44,7 +44,7 @@ func strToBool(str string) bool {
 
 func skipTLSVerify() bool {
 	tlsVerify := strings.ToLower(Env("OIDC_TLS_VERIFY", "true"))
-	return strToBool(tlsVerify)
+	return !strToBool(tlsVerify)
 }
 
 func createContext(from context.Context) context.Context {

From 3f0f8e48ee480dba7fb3867c04d51051129435ff Mon Sep 17 00:00:00 2001
From: Severin Leonhardt <serviushack@gmx.de>
Date: Mon, 13 Nov 2023 20:10:38 +0100
Subject: [PATCH 2/2] Apply OIDC_TLS_VERIFY to OIDC provider as well

The configuration OIDC_TLS_VERIFY was only applied to for the refresh-
token related checks. It was still not possible to use the test client
with an OIDC provider that was using a self-signed certificate.

This commit changes the context used for communicating with the OIDC
provider. That way TLS certificate validation can be skipped and thus
an OIDC provider using a self-signed certificate can also be used.
---
 pkg/client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/client.go b/pkg/client.go
index cb6d9de..a2a1547 100644
--- a/pkg/client.go
+++ b/pkg/client.go
@@ -68,7 +68,7 @@ func getScopes() []string {
 }
 
 func NewOIDCClient(clientID string, clientSecret string, providerURL string) *OIDCClient {
-	ctx := context.Background()
+	ctx := createContext(context.Background())
 
 	provider, err := oidc.NewProvider(ctx, providerURL)
 	if err != nil {