Missing validation of certificates on OIDC #116
Description
We are using the OIDC and JWT policies as documented here: https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#oidc
When testing and debugging some unrelated issues, we discovered that the JWT policy does not verify the certificate of the jwksURI: https://github.com/nginx/kubernetes-ingress/blob/main/internal/configs/version2/nginx-plus.virtualserver.tmpl#L219-L231
We have tested that adding the following two lines fixes the issue: proxy_ssl_verify on proxy_ssl_trusted_certificate /path_to_some_ca_cert_list
After adding these two lines, we get an error saying that Nginx could not verify the certificate of our jwksURI, which for this testing has a self-signed certificate.
Further investigation reveals that no use of proxy_pass in nginx-plus.virtualserver.tmpl has proxy_ssl_verify activated, unless one is using the EgressMTLS feature here: https://github.com/nginx/kubernetes-ingress/blob/main/internal/configs/version2/nginx-plus.virtualserver.tmpl#L461
We have also discovered the same for the OIDC module, even if we have not verified that by testing: https://github.com/nginxinc/nginx-openid-connect/blob/main/openid_connect.server_conf