eclipse-opendut
Fix client registration
Issue #112 introduced keycloak client registration. While this worked using keycloak on the localhost, it does not work in the test environment with real certificates. This is due to the async_http_client in OpenIdConnectClientManager which doesn't account for a custom certificate authority. All requests are rejected.
- [ ] Pass custom certificate authority to request client
- [ ] Make test work with a request using a custom certificate authority in test environment
- [ ] Remove environment variables
OPENDUT_CARL_NETWORK_OIDC_CLIENT_PEER_IDandOPENDUT_CARL_NETWORK_OIDC_CLIENT_PEER_SECRETfrom docker-compose.yml
Benefit: Peers do not longer share the same client credentials.
The async_http_client is also used by the clients of CARL (EDGAR and CLEO). There is a simple workaround to add a custom certificate authority by setting an environment variable that the Rust TLS library respects:
SSL_CERT_FILE=/path/to/ca.pem
See rustls-native-certs:
On all platforms, the SSL_CERT_FILE environment variable is checked first. If that's set, certificates are loaded from the path specified by that variable, or an error is returned if certificates cannot be loaded from the given path. If it's not set, then the platform-specific certificate source is used.
While it is nice to have this simple workaround, it is not a solution. A custom http client will have the benefit of the granularity of which certificate authority to use with the respective servers without adding them to the system nor to the environment variable. Adding this environment variable or adding it to the system will affect the behavior of other applications, too, since the SSL_CERT_FILE is used by e.g. curl, golang and many others as well.