[GH-ISSUE #4988] TLS and ProxyURL settings for OIDC auth token specific connections #3931

New issue

Closed

opened 2026-05-05 14:30:22 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 14:30:22 -06:00

Owner

Originally created by @caphrim007 on GitHub (Sep 20, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4988

Bug Description

This is more of a question.

I've seen the settings for transport.tls in the frpc and frps config files

frpc TLS settings:

transport.tls.enable = true
transport.tls.certFile = "certificate.crt"
transport.tls.keyFile = "certificate.key"
transport.tls.trustedCaFile = "ca.crt"

frps TLS settings:

transport.tls.force = true
transport.tls.certFile = "certificate.crt"
transport.tls.keyFile = "certificate.key"
transport.tls.trustedCaFile = "ca.crt"

But our experience using OIDC to authenticate to an https endpoint using something like a self-signed certificate, raises errors in FRPC logs about certificate verification.

We worked around this by adding the CA chain to /etc/ssl/certs/ca-certificates.crt, but I was wondering if there is...or if there should be...similar TLS settings for acquiring OIDC tokens? Or is the filesystem path the only option?

The URL that is fronted by this custom CA chain is the one specified in auth.oidc.tokenEndpointURL. For example, in the following,

auth.oidc.tokenEndpointURL = "https://example-oidc-endpoint.com/oauth2/v2.0/token"

how can one configure FRPC to verify the certificate presented at that HTTPS endpoint? is there config available in the frpc.toml file? or is it required to update system certificates?

The second part of my question is whether all of the above is also configurable (in the frpc.toml file) for Proxy settings used for acquiring OIDC auth tokens.

There is

transport.proxyURL = "http://user:pwd@192.168.1.128:8080"

But that doesnt appear to apply to code that fetches OIDC auth tokens.

how can one configure FRPC to use Proxy settings for OIDC auth tokens? is there config available in the frpc.toml file? or is it required to set HTTP_PROXY and HTTPS_PROXY environment variables before starting frpc?

frpc Version

0.64.0

frps Version

0.64.0

System Architecture

linux/amd64

Configurations

These configurations are high-level. you'll need a functioning oidc provider and create client ids and secrets, etc. so this isnt likely functional as-is in your environment

serverAddr = "foo.bar.local"
serverPort = 80

loginFailExit = true

[log.to](http://log.to/) = "console"
log.level = "info"
log.maxDays = 3
log.disablePrintColor = false

auth.method = "oidc"

auth.oidc.clientID = "clientid1"
auth.oidc.clientSecret = "secret1"
auth.oidc.tokenEndpointURL = "https://foo.bar.local/auth/oauth/token"

transport.poolCount = 0
transport.protocol = "websocket"
transport.connectServerLocalIP = ""
transport.tls.enable = false

udpPacketSize = 1500
metadatas.foo = "alice"

[[proxies]]
name = "web"
type = "http"
localIP = "127.0.0.1"
localPort = 4000
customDomains = ["web.local"]
metadatas.foo = "alice"
metadatas.bar = "bob"

Logs

2025-09-20 17:16:59.462 [I] [sub/root.go:149] start frpc service for config file [/var/vcap/jobs/frpc/config/frpc.toml]
2025-09-20 17:16:59.462 [I] [client/service.go:314] try to connect to server...
2025-09-20 17:16:59.509 [W] [client/service.go:317] connect to server error: couldn't generate OIDC token for login: Post "https://foo.bar.local/auth/oauth/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
2025-09-20 17:16:59.509 [I] [sub/root.go:167] frpc service for config file [/var/vcap/jobs/frpc/config/frpc.toml] stopped

Steps to reproduce

configure oidc with auth.oidc.tokenEndpointURL pointed to a OIDC provider that uses a custom CA chain
maybe more settings?

...

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @caphrim007 on GitHub (Sep 20, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4988 ### Bug Description This is more of a question. I've seen the settings for `transport.tls` in the frpc and frps config files ``` frpc TLS settings: transport.tls.enable = true transport.tls.certFile = "certificate.crt" transport.tls.keyFile = "certificate.key" transport.tls.trustedCaFile = "ca.crt" frps TLS settings: transport.tls.force = true transport.tls.certFile = "certificate.crt" transport.tls.keyFile = "certificate.key" transport.tls.trustedCaFile = "ca.crt" ``` But our experience using OIDC to authenticate to an https endpoint using something like a self-signed certificate, raises errors in FRPC logs about certificate verification. We worked around this by adding the CA chain to `/etc/ssl/certs/ca-certificates.crt`, but I was wondering if there is...or if there should be...similar TLS settings for acquiring OIDC tokens? Or is the filesystem path the only option? The URL that is fronted by this custom CA chain is the one specified in `auth.oidc.tokenEndpointURL`. For example, in the following, ``` auth.oidc.tokenEndpointURL = "https://example-oidc-endpoint.com/oauth2/v2.0/token" ``` how can one configure FRPC to verify the certificate presented at that HTTPS endpoint? is there config available in the frpc.toml file? or is it required to update system certificates? The second part of my question is whether all of the above is also configurable (in the frpc.toml file) for Proxy settings used for acquiring OIDC auth tokens. There is ``` transport.proxyURL = "http://user:pwd@192.168.1.128:8080" ``` But that doesnt appear to apply to code that fetches OIDC auth tokens. how can one configure FRPC to use Proxy settings for OIDC auth tokens? is there config available in the frpc.toml file? or is it required to set HTTP_PROXY and HTTPS_PROXY environment variables before starting frpc? ### frpc Version 0.64.0 ### frps Version 0.64.0 ### System Architecture linux/amd64 ### Configurations These configurations are high-level. you'll need a functioning oidc provider and create client ids and secrets, etc. so this isnt likely functional as-is in your environment ``` serverAddr = "foo.bar.local" serverPort = 80 loginFailExit = true [log.to](http://log.to/) = "console" log.level = "info" log.maxDays = 3 log.disablePrintColor = false auth.method = "oidc" auth.oidc.clientID = "clientid1" auth.oidc.clientSecret = "secret1" auth.oidc.tokenEndpointURL = "https://foo.bar.local/auth/oauth/token" transport.poolCount = 0 transport.protocol = "websocket" transport.connectServerLocalIP = "" transport.tls.enable = false udpPacketSize = 1500 metadatas.foo = "alice" [[proxies]] name = "web" type = "http" localIP = "127.0.0.1" localPort = 4000 customDomains = ["web.local"] metadatas.foo = "alice" metadatas.bar = "bob" ``` ### Logs 2025-09-20 17:16:59.462 [I] [sub/root.go:149] start frpc service for config file [/var/vcap/jobs/frpc/config/frpc.toml] 2025-09-20 17:16:59.462 [I] [client/service.go:314] try to connect to server... 2025-09-20 17:16:59.509 [W] [client/service.go:317] connect to server error: couldn't generate OIDC token for login: Post "https://foo.bar.local/auth/oauth/token": tls: failed to verify certificate: x509: certificate signed by unknown authority 2025-09-20 17:16:59.509 [I] [sub/root.go:167] frpc service for config file [/var/vcap/jobs/frpc/config/frpc.toml] stopped ### Steps to reproduce 1. configure oidc with auth.oidc.tokenEndpointURL pointed to a OIDC provider that uses a custom CA chain 2. maybe more settings? 3. ... ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [x] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [x] Others

gitea-mirror

2026-05-05 14:30:22 -06:00

closed this issue
added the
todo
label

gitea-mirror commented

2026-05-05 14:30:25 -06:00

Author

Owner

@fatedier commented on GitHub (Sep 21, 2025):

transport.tls and transport.proxyURL are configuration options for frpc connecting to frps, and they do not apply in other scenarios.

But our experience using OIDC to authenticate to an https endpoint using something like a self-signed certificate, raises errors in FRPC logs about certificate verification.
We worked around this by adding the CA chain to /etc/ssl/certs/ca-certificates.crt, but I was wondering if there is...or if there should be...similar TLS settings for acquiring OIDC tokens? Or is the filesystem path the only option?

I think adding a parameter to configure the OIDC CA file is reasonable. And we can also support insecureSkipVerify for debuging.

how can one configure FRPC to use Proxy settings for OIDC auth tokens? is there config available in the frpc.toml file? or is it required to set HTTP_PROXY and HTTPS_PROXY environment variables before starting frpc?

I prefer adding a separate proxy configuration within the OIDC settings.

@fatedier commented on GitHub (Sep 21, 2025): `transport.tls` and `transport.proxyURL` are configuration options for frpc connecting to frps, and they do not apply in other scenarios. > But our experience using OIDC to authenticate to an https endpoint using something like a self-signed certificate, raises errors in FRPC logs about certificate verification. > We worked around this by adding the CA chain to /etc/ssl/certs/ca-certificates.crt, but I was wondering if there is...or if there should be...similar TLS settings for acquiring OIDC tokens? Or is the filesystem path the only option? I think adding a parameter to configure the OIDC CA file is reasonable. And we can also support `insecureSkipVerify` for debuging. > how can one configure FRPC to use Proxy settings for OIDC auth tokens? is there config available in the frpc.toml file? or is it required to set HTTP_PROXY and HTTPS_PROXY environment variables before starting frpc? I prefer adding a separate proxy configuration within the OIDC settings.