feat: add option for insecure service account authentication (#848)

Co-authored-by: Christoph Bühler <buehler@users.noreply.github.com>
smartive · Dec 19, 2023 · 341b912 · 341b912
1 parent 3d1a30e
commit 341b912
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/Zitadel/Credentials/ServiceAccount.cs b/src/Zitadel/Credentials/ServiceAccount.cs
@@ -134,7 +134,7 @@ public async Task<string> AuthenticateAsync(string audience, AuthOptions? authOp
             var manager = new ConfigurationManager<OpenIdConnectConfiguration>(
                 authOptions.DiscoveryEndpoint ?? DiscoveryEndpoint(audience),
                 new OpenIdConnectConfigurationRetriever(),
-                new HttpDocumentRetriever(HttpClient));
+                new HttpDocumentRetriever(HttpClient) { RequireHttps = authOptions.RequireHttps ?? true });
 
             var oidcConfig = await manager.GetConfigurationAsync();
 
@@ -246,6 +246,11 @@ public record AuthOptions
             /// </summary>
             public string? DiscoveryEndpoint { get; init; }
 
+            /// <summary>
+            /// Requires Https secure channel for sending requests. This is turned ON by default for security reasons. It is RECOMMENDED that you do not allow retrieval from http addresses by default.
+            /// </summary>
+            public bool? RequireHttps { get; init; }
+
             /// <summary>
             /// Set a list of roles that must be attached to this service account to be
             /// successfully authenticated. Translates to the role scope ("urn:zitadel:iam:org:project:role:{Role}").