Merge pull request #4601 from wkloucek/remove-default-insecure

change the default value for PROXY_OIDC_INSECURE to false

changelog/unreleased/fix-insecure-option-with-default-true.md

@@ -0,0 +1,6 @@
+Bugfix: Change the default value for PROXY_OIDC_INSECURE to false
+
+We've changed the default value for PROXY_OIDC_INSECURE to `false`.
+Previously the default values was `true` which is not acceptable since default values need to be secure.
+
+https://github.com/owncloud/ocis/pull/4601

ocis/pkg/init/init.go

@@ -28,7 +28,12 @@ type InsecureService struct {
 }
 
 type InsecureProxyService struct {
-	InsecureBackends bool `yaml:"insecure_backends"`
+	OIDC             InsecureProxyOIDC `yaml:"oidc"`
+	InsecureBackends bool              `yaml:"insecure_backends"`
+}
+
+type InsecureProxyOIDC struct {
+	Insecure bool `yaml:"insecure"`
 }
 
 type LdapSettings struct {
@@ -282,6 +287,9 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 		}
 		cfg.Proxy = InsecureProxyService{
 			InsecureBackends: true,
+			OIDC: InsecureProxyOIDC{
+				Insecure: true,
+			},
 		}
 
 		cfg.Thumbnails.Thumbnail.WebdavAllowInsecure = true

services/proxy/pkg/config/defaults/defaultconfig.go

@@ -33,9 +33,8 @@ func DefaultConfig() *config.Config {
 			Name: "proxy",
 		},
 		OIDC: config.OIDC{
-			Issuer:   "https://localhost:9200",
-			Insecure: true,
-			//Insecure: true,
+			Issuer: "https://localhost:9200",
+
 			AccessTokenVerifyMethod: config.AccessTokenVerificationJWT,
 			UserinfoCache: config.UserinfoCache{
 				Size: 1024,