Added support for self-signed SSL certificates

main.go

@@ -37,6 +37,7 @@ func main() {
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
 	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
 	flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")
+	flagSet.Bool("enable-insecure", false, "Allow token redemption via insecure SSL connections")
 
 	flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")

oauthproxy.go

@@ -67,6 +67,7 @@ type OAuthProxy struct {
 	compiledRegex       []*regexp.Regexp
 	templates           *template.Template
 	Footer              string
+	EnableInsecure	    bool
 }
 
 type UpstreamProxy struct {
@@ -150,6 +151,8 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 	redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
 
 	log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID)
+	opts.provider.Data().EnableInsecure = opts.EnableInsecure
+	log.Printf("OAuthProxy Insecure SSL: %t", opts.provider.Data().EnableInsecure)
 	domain := opts.CookieDomain
 	if domain == "" {
 		domain = "<default>"
@@ -200,6 +203,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 		CookieCipher:       cipher,
 		templates:          loadTemplates(opts.CustomTemplatesDir),
 		Footer:             opts.Footer,
+		EnableInsecure:	   opts.EnableInsecure,
 	}
 }
 

oauthproxy_test.go

@@ -157,6 +157,7 @@ func TestBasicAuthPassword(t *testing.T) {
 	opts.CookieSecure = false
 	opts.PassBasicAuth = true
 	opts.BasicAuthPassword = "This is a secure password"
+	opts.EnableInsecure = false
 	opts.Validate()
 
 	provider_url, _ := url.Parse(provider_server.URL)

options.go

@@ -53,6 +53,7 @@ type Options struct {
 	PassAccessToken    bool     `flag:"pass-access-token" cfg:"pass_access_token"`
 	PassHostHeader     bool     `flag:"pass-host-header" cfg:"pass_host_header"`
 	SkipProviderButton bool     `flag:"skip-provider-button" cfg:"skip_provider_button"`
+	EnableInsecure    bool     `flag:"enable-insecure" cfg:"enable_insecure"`
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
@@ -99,6 +100,7 @@ func NewOptions() *Options {
 		SkipProviderButton:  false,
 		ApprovalPrompt:      "force",
 		RequestLogging:      true,
+		EnableInsecure:      false,
 	}
 }
 

providers/provider_data.go

@@ -15,6 +15,7 @@ type ProviderData struct {
 	ValidateURL       *url.URL
 	Scope             string
 	ApprovalPrompt    string
+	EnableInsecure    bool
 }
 
 func (p *ProviderData) Data() *ProviderData { return p }

providers/provider_default.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"crypto/tls"
 
 	"github.com/bitly/oauth2_proxy/cookie"
 )
@@ -19,12 +20,20 @@ func (p *ProviderData) Redeem(redirectURL, code string) (s *SessionState, err er
 		return
 	}
 
+
 	params := url.Values{}
 	params.Add("redirect_uri", redirectURL)
 	params.Add("client_id", p.ClientID)
 	params.Add("client_secret", p.ClientSecret)
 	params.Add("code", code)
 	params.Add("grant_type", "authorization_code")
+
+	fmt.Printf("Before Request -> SSL: %t", p.EnableInsecure)
+
+	cfg := &tls.Config{ InsecureSkipVerify: p.EnableInsecure, }
+
+	http.DefaultClient.Transport = &http.Transport{ TLSClientConfig: cfg, }
+
 	if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
 		params.Add("resource", p.ProtectedResource.String())
 	}