I’m attempting to use the OIDC implicit flow to authenticate Sync GW document requests. I’m in a test environment and the OIDC Provider (OP) is configured with self-signed certificate. Because of the self-signed certificate, the Sync GW is, as expected, failing when it attempts to call the OP’s discovery endpoint. The log error is shown below. Could you please provide some guidance on how to install the OP’s public certificate in the Sync GW’s trust store?
[ERR] Unable to initialize OIDC client: unable to discover config: Get https:///.well-known/openid-configuration: x509: certificate signed by unknown authority – auth.(*OIDCProvider).GetClient.func1() at oidc.go:103
Sync Gateway doesn’t have its own trust store to install self signed certificates. However, it uses Go native library for trusted HTTP communication over the wire. On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR can be used to override the system default locations for the SSL certificate file and SSL certificate files directory, respectively. See x509 package - crypto/x509 - pkg.go.dev for more information. Also I don’t think you need to have a TLS encrypted endpoint for provider metadata discovery.