Enhance -k skip option to skip issuer check in begin (#120)

* Enhance -k skip option to skip issuer check in begin

At start there is a lookup in well-known if issuer from there is the same as passed to command.
In case they are not equal the run stops.
With -k now this check is ignored and processing is continued.

* Update openid-client/openid-client.go

Co-authored-by: Copilot <[email protected]>

* Update README.md

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

Author: strehle

README.md

@@ -83,7 +83,26 @@ Flags:
       -resource         Token-Exchange custom resource parameter.
       -requested_type   Token-Exchange requested type.
       -provider_name    Provider name for token-exchange.
-      -k                Skip TLS server certificate verification.
+      -k                Skip TLS server certificate verification and skip OIDC issuer check from well-known.
       -v                Verbose. Show more details about calls.
       -h                Show this help for more details.
 ```
+
+### How to test in automation without showing secrets
+In environments with outlog to logs or others it might be needed to hide the secrets and/or client details.
+There are some environment variables, which will be used if set. A variable passed to the command itself always as prio before the
+environment, but you can also mix input parameters and environment.
+
+* OPENID_ISSUER The issuer of the OIDC server. Useful if you re-use a command often to omit it from a command. 
+* OPENID_ID The client_id parameter.
+* OPENID_SECRET The client_secret parameter.
+* OPENID_FORMAT The format of the access_token. Possible values are jwt or opaque.
+
+Example
+```text
+openid-client client_credentials
+```
+or with some information
+```text
+openid-client client_credentials -client_id xxxxx
+```

openid-client/openid-client.go

@@ -86,7 +86,7 @@ func main() {
 			"      -resource         Token-Exchange custom resource parameter.\n" +
 			"      -requested_type   Token-Exchange requested type.\n" +
 			"      -provider_name    Provider name for token-exchange.\n" +
-			"      -k                Skip TLS server certificate verification.\n" +
+			"      -k                Skip TLS server certificate verification and skip OIDC issuer check from well-known.\n" +
 			"      -v                Verbose. Show more details about calls.\n" +
 			"      -h                Show this help for more details.")
 	}
@@ -130,7 +130,7 @@ func main() {
 	var requestedType = flag.String("requested_type", "", "Token-Exchange requested type")
 	var providerName = flag.String("provider_name", "", "Provider name for token-exchange")
 	var resourceParam = flag.String("resource", "", "Additional resource")
-	var skipTlsVerification = flag.Bool("k", false, "Skip TLS server certificate verification")
+	var skipTlsVerification = flag.Bool("k", false, "Skip TLS server certificate verification and issuer.")
 	var mTLS = false
 	var privateKeyJwt = ""
 	var arguments []string
@@ -155,6 +155,7 @@ func main() {
 		return
 	case "client_credentials", "password", "token-exchange", "jwt-bearer", "saml-bearer", "idp_token", "":
 	case "passcode", "introspect":
+		*clientID = os.Getenv("OPENID_ID")
 		if *clientID == "" {
 			*clientID = "T000000" /* default */
 		}
@@ -199,6 +200,9 @@ func main() {
 		TokenEndPoint      string `json:"token_endpoint"`
 		IntroSpectEndpoint string `json:"introspection_endpoint,omitempty"`
 	}
+	if *skipTlsVerification {
+		ctx = oidc.InsecureIssuerURLContext(ctx, *issEndPoint)
+	}
 	provider, oidcError := oidc.NewProvider(ctx, *issEndPoint)
 	if oidcError != nil {
 		if *urlEndPoint != "" && *command != "" {
@@ -354,8 +358,11 @@ func main() {
 		requestMap.Set("client_assertion", privateKeyJwt)
 	}
 	var verbose = *isVerbose
-	if *tokenFormatParameter != "" && *doCfCall == false {
+	var envFormat = os.Getenv("OPENID_FORMAT")
+	if *tokenFormatParameter != "" && envFormat == "" && *doCfCall == false {
 		requestMap.Set("token_format", *tokenFormatParameter)
+	} else if envFormat != "" {
+		requestMap.Set("token_format", envFormat)
 	}
 	if *appTid != "" {
 		requestMap.Set("app_tid", *appTid)