social sign-in - How to use a generic provider having a self signed signature?

[ymaiga]

I have a hosted Kratos, I want to log with a generic OIDC provider having a non trusted signature.
Is there a configuration in Ory Kratos to set a list of trusted certificates OR to disable the cert verification.

The error message I have : "Unable to initialize OpenID Connect Provider: Get "https://my-provider/.well-known/openid-configuration\": x509: certificate signed by unknown authority"

[ymaiga]

I fix this point putting my ca certificate inside the /etc/ssl/certs/ of Kratos container.

[vinckr]

Thanks for sharing your fix 🙌

[gammaSpeck]

Hello, @ymaiga and @vinckr. Were you able to able to authenticate users in an OIDC flow on a generic provider using x509 certificates?

The Ory docs here mentions that this feature is not yet supported.

I am trying to configure authentication on Microsoft Azure AD using Certificates (We have a strict use case where we are not allowed to create client_secrets).

I was able to follow this microsoft article to be able to get back an access token. But, how do I configure the self hosted Kratos OIDC configs to support my use case?

[vinckr]

Hello @gammaSpeck
Ory Kratos supports OIDC authentication with Microsoft Azure AD, but it requires a client secret as part of the configuration - AFAIK X509 certs are not supported. The steps to configure Microsoft Azure AD as a social sign-in provider are detailed in the Ory documentation.