deref everything but now with default constants

Signed-off-by: Jan Larwig <jan@larwig.com>

pkg/apis/options/header.go

@@ -2,6 +2,11 @@ package options
 
 import "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr"
 
+const (
+	// DefaultHeaderPreserveRequestValue is the default value for Header.PreserveRequestValue
+	DefaultHeaderPreserveRequestValue bool = false
+)
+
 // Header represents an individual header that will be added to a request or
 // response header.
 type Header struct {
@@ -59,7 +64,7 @@ type ClaimSource struct {
 // EnsureDefaults sets any default values for Header fields.
 func (h *Header) EnsureDefaults() {
 	if h.PreserveRequestValue == nil {
-		h.PreserveRequestValue = ptr.Ptr(false)
+		h.PreserveRequestValue = ptr.Ptr(DefaultHeaderPreserveRequestValue)
 	}
 	for i := range h.Values {
 		h.Values[i].EnsureDefaults()

pkg/apis/options/providers.go

@@ -4,10 +4,46 @@ import "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr"
 
 const (
 	// OIDCEmailClaim is the generic email claim used by the OIDC provider.
-	OIDCEmailClaim = "email"
+	OIDCEmailClaim string = "email"
 
 	// OIDCGroupsClaim is the generic groups claim used by the OIDC provider.
-	OIDCGroupsClaim = "groups"
+	OIDCGroupsClaim string = "groups"
+
+	// DefaultSkipDiscovery is the default value
+	// for OIDCOptions.SkipDiscovery
+	DefaultSkipDiscovery bool = false
+
+	// DefaultInsecureSkipNonce is the default value
+	// for OIDCOptions.InsecureSkipNonce
+	DefaultInsecureSkipNonce bool = true
+
+	// DefaultInsecureAllowUnverifiedEmail is the default value
+	// for OIDCOptions.InsecureAllowUnverifiedEmail
+	DefaultInsecureAllowUnverifiedEmail bool = false
+
+	// DefaultInsecureSkipIssuerVerification is the default value
+	// for OIDCOptions.InsecureSkipIssuerVerification
+	DefaultInsecureSkipIssuerVerification bool = false
+
+	// DefaultSkipClaimsFromProfileURL is the default value
+	// for Provider.SkipClaimsFromProfileURL
+	DefaultSkipClaimsFromProfileURL bool = false
+
+	// DefaultADFSSkipScope is the default value
+	// for ADFSOptions.SkipScope
+	DefaultADFSSkipScope bool = false
+
+	// DefaultMicrosoftEntraIDUseFederatedToken is the default value
+	// for MicrosoftEntraIDOptions.FederatedTokenAuth
+	DefaultMicrosoftEntraIDUseFederatedToken bool = false
+
+	// DefaultGoogleUseApplicationDefaultCredentials is the default values
+	// for GoogleOptions.UseApplicationDefaultCredentials
+	DefaultUseApplicationDefaultCredentials bool = false
+
+	// DefaultUseSystemTrustStore is the default value
+	// for Provider.UseSystemTrustStore
+	DefaultUseSystemTrustStore bool = true
 )
 
 // OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.
@@ -298,9 +334,9 @@ func providerDefaults() Providers {
 				Tenant: "common",
 			},
 			OIDCConfig: OIDCOptions{
-				InsecureAllowUnverifiedEmail: ptr.Ptr(false),
+				InsecureAllowUnverifiedEmail: ptr.Ptr(DefaultInsecureAllowUnverifiedEmail),
-				InsecureSkipNonce:            ptr.Ptr(true),
+				InsecureSkipNonce:            ptr.Ptr(DefaultInsecureSkipNonce),
-				SkipDiscovery:                ptr.Ptr(false),
+				SkipDiscovery:                ptr.Ptr(DefaultSkipDiscovery),
 				UserIDClaim:                  OIDCEmailClaim, // Deprecated: Use OIDCEmailClaim
 				EmailClaim:                   OIDCEmailClaim,
 				GroupsClaim:                  OIDCGroupsClaim,
@@ -322,10 +358,10 @@ func (p Providers) EnsureDefaults() {
 // EnsureDefaults sets any default values for Provider fields.
 func (p *Provider) EnsureDefaults() {
 	if p.SkipClaimsFromProfileURL == nil {
-		p.SkipClaimsFromProfileURL = ptr.Ptr(false)
+		p.SkipClaimsFromProfileURL = ptr.Ptr(DefaultSkipClaimsFromProfileURL)
 	}
 	if p.UseSystemTrustStore == nil {
-		p.UseSystemTrustStore = ptr.Ptr(true)
+		p.UseSystemTrustStore = ptr.Ptr(DefaultUseSystemTrustStore)
 	}
 
 	p.OIDCConfig.EnsureDefaults()
@@ -338,13 +374,13 @@ func (p *Provider) EnsureDefaults() {
 func (o *OIDCOptions) EnsureDefaults() {
 	// Ensure OIDC defaults
 	if o.InsecureAllowUnverifiedEmail == nil {
-		o.InsecureAllowUnverifiedEmail = ptr.Ptr(false)
+		o.InsecureAllowUnverifiedEmail = ptr.Ptr(DefaultInsecureAllowUnverifiedEmail)
 	}
 	if o.InsecureSkipNonce == nil {
-		o.InsecureSkipNonce = ptr.Ptr(true)
+		o.InsecureSkipNonce = ptr.Ptr(DefaultInsecureSkipNonce)
 	}
 	if o.SkipDiscovery == nil {
-		o.SkipDiscovery = ptr.Ptr(false)
+		o.SkipDiscovery = ptr.Ptr(DefaultSkipDiscovery)
 	}
 	if o.UserIDClaim == "" {
 		o.UserIDClaim = OIDCEmailClaim
@@ -363,20 +399,20 @@ func (o *OIDCOptions) EnsureDefaults() {
 // EnsureDefaults sets any default values for MicrosoftEntraIDOptions fields.
 func (me *MicrosoftEntraIDOptions) EnsureDefaults() {
 	if me.FederatedTokenAuth == nil {
-		me.FederatedTokenAuth = ptr.Ptr(false)
+		me.FederatedTokenAuth = ptr.Ptr(DefaultMicrosoftEntraIDUseFederatedToken)
 	}
 }
 
 // EnsureDefaults sets any default values for ADFSOptions fields.
 func (a *ADFSOptions) EnsureDefaults() {
 	if a.SkipScope == nil {
-		a.SkipScope = ptr.Ptr(false)
+		a.SkipScope = ptr.Ptr(DefaultADFSSkipScope)
 	}
 }
 
 // EnsureDefaults sets any default values for GoogleOptions fields.
 func (g *GoogleOptions) EnsureDefaults() {
 	if g.UseApplicationDefaultCredentials == nil {
-		g.UseApplicationDefaultCredentials = ptr.Ptr(false)
+		g.UseApplicationDefaultCredentials = ptr.Ptr(DefaultUseApplicationDefaultCredentials)
 	}
 }

pkg/apis/options/upstreams.go

@@ -1,6 +1,7 @@
 package options
 
 import (
+	"net/http"
 	"time"
 
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr"
@@ -8,10 +9,31 @@ import (
 
 const (
 	// DefaultUpstreamFlushInterval is the default value for the Upstream FlushInterval.
-	DefaultUpstreamFlushInterval = 1 * time.Second
+	DefaultUpstreamFlushInterval time.Duration = 1 * time.Second
 
 	// DefaultUpstreamTimeout is the maximum duration a network dial to a upstream server for a response.
-	DefaultUpstreamTimeout = 30 * time.Second
+	DefaultUpstreamTimeout time.Duration = 30 * time.Second
+
+	// DefaultUpstreamStatic determines if upstreams are static by default.
+	DefaultUpstreamStatic bool = false
+
+	// DefaultUpstreamStaticCode is the default response code for static upstreams.
+	DefaultUpstreamStaticCode int = http.StatusOK // 200
+
+	// DefaultUpstreamProxyRawPath determines if upstreams will proxy the raw url path by default.
+	DefaultUpstreamProxyRawPath bool = false
+
+	// DefaultUpstreamInsecureSkipTLSVerify determines if upstreams will skip TLS verification by default.
+	DefaultUpsteamInsecureSkipTLSVerify bool = false
+
+	// DefaultUpstreamPassHostHeader determines if upstreams will pass the host header by default.
+	DefaultUpstreamPassHostHeader bool = true
+
+	// DefaultUpstreamProxyWebSockets determines if upstreams will proxy websockets by default.
+	DefaultUpstreamProxyWebSockets bool = true
+
+	// DefaultUpstreamDisableKeepAlives determines if upstreams will disable keep-alives by default.
+	DefaultUpstreamDisableKeepAlives bool = false
 )
 
 // UpstreamConfig is a collection of definitions for upstream servers.
@@ -106,7 +128,7 @@ type Upstream struct {
 // EnsureDefaults sets any default values for UpstreamConfig fields.
 func (uc *UpstreamConfig) EnsureDefaults() {
 	if uc.ProxyRawPath == nil {
-		uc.ProxyRawPath = ptr.Ptr(false)
+		uc.ProxyRawPath = ptr.Ptr(DefaultUpstreamProxyRawPath)
 	}
 	for i := range uc.Upstreams {
 		uc.Upstreams[i].EnsureDefaults()
@@ -116,24 +138,24 @@ func (uc *UpstreamConfig) EnsureDefaults() {
 // EnsureDefaults sets any default values for Upstream fields.
 func (u *Upstream) EnsureDefaults() {
 	if u.InsecureSkipTLSVerify == nil {
-		u.InsecureSkipTLSVerify = ptr.Ptr(false)
+		u.InsecureSkipTLSVerify = ptr.Ptr(DefaultUpsteamInsecureSkipTLSVerify)
 	}
 	if u.Static == nil {
-		u.Static = ptr.Ptr(false)
+		u.Static = ptr.Ptr(DefaultUpstreamStatic)
 	}
 	if u.FlushInterval == nil {
 		u.FlushInterval = ptr.Ptr(DefaultUpstreamFlushInterval)
 	}
 	if u.PassHostHeader == nil {
-		u.PassHostHeader = ptr.Ptr(true)
+		u.PassHostHeader = ptr.Ptr(DefaultUpstreamPassHostHeader)
 	}
 	if u.ProxyWebSockets == nil {
-		u.ProxyWebSockets = ptr.Ptr(true)
+		u.ProxyWebSockets = ptr.Ptr(DefaultUpstreamProxyWebSockets)
 	}
 	if u.Timeout == nil {
 		u.Timeout = ptr.Ptr(DefaultUpstreamTimeout)
 	}
 	if u.DisableKeepAlives == nil {
-		u.DisableKeepAlives = ptr.Ptr(false)
+		u.DisableKeepAlives = ptr.Ptr(DefaultUpstreamDisableKeepAlives)
 	}
 }

pkg/middleware/headers.go

@@ -28,7 +28,7 @@ func NewRequestHeaderInjector(headers []options.Header) (alice.Constructor, erro
 func newStripHeaders(headers []options.Header) alice.Constructor {
 	headersToStrip := []options.Header{}
 	for _, header := range headers {
-		if !ptr.Deref(header.PreserveRequestValue, false) {
+		if !ptr.Deref(header.PreserveRequestValue, options.DefaultHeaderPreserveRequestValue) {
 			headersToStrip = append(headersToStrip, header)
 		}
 	}

pkg/upstream/http.go

@@ -54,7 +54,7 @@ func newHTTPUpstreamProxy(upstream options.Upstream, u *url.URL, sigData *option
 
 	// Set up a WebSocket proxy if required
 	var wsProxy http.Handler
-	if ptr.Deref(upstream.ProxyWebSockets, false) {
+	if ptr.Deref(upstream.ProxyWebSockets, options.DefaultUpstreamProxyWebSockets) {
 		wsProxy = newWebSocketReverseProxy(u, upstream.InsecureSkipTLSVerify)
 	}
 
@@ -150,14 +150,14 @@ func newReverseProxy(target *url.URL, upstream options.Upstream, errorHandler Pr
 
 	// InsecureSkipVerify is a configurable option we allow
 	/* #nosec G402 */
-	if ptr.Deref(upstream.InsecureSkipTLSVerify, false) {
+	if ptr.Deref(upstream.InsecureSkipTLSVerify, options.DefaultUpsteamInsecureSkipTLSVerify) {
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
 
 	// Ensure we always pass the original request path
 	setProxyDirector(proxy)
 
-	if !ptr.Deref(upstream.PassHostHeader, false) {
+	if !ptr.Deref(upstream.PassHostHeader, options.DefaultUpstreamPassHostHeader) {
 		setProxyUpstreamHostHeader(proxy, target)
 	}
 
@@ -169,7 +169,7 @@ func newReverseProxy(target *url.URL, upstream options.Upstream, errorHandler Pr
 
 	// Pass on DisableKeepAlives to the transport settings
 	// to allow for disabling HTTP keep-alive connections
-	transport.DisableKeepAlives = ptr.Deref(upstream.DisableKeepAlives, false)
+	transport.DisableKeepAlives = ptr.Deref(upstream.DisableKeepAlives, options.DefaultUpstreamDisableKeepAlives)
 
 	// Apply the customized transport to our proxy before returning it
 	proxy.Transport = transport

pkg/upstream/proxy.go

@@ -28,12 +28,12 @@ func NewProxy(upstreams options.UpstreamConfig, sigData *options.SignatureData,
 		serveMux: mux.NewRouter(),
 	}
 
-	if ptr.Deref(upstreams.ProxyRawPath, false) {
+	if ptr.Deref(upstreams.ProxyRawPath, options.DefaultUpstreamProxyRawPath) {
 		m.serveMux.UseEncodedPath()
 	}
 
 	for _, upstream := range sortByPathLongest(upstreams.Upstreams) {
-		if ptr.Deref(upstream.Static, false) {
+		if ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) {
 			if err := m.registerStaticResponseHandler(upstream, writer); err != nil {
 				return nil, fmt.Errorf("could not register static upstream %q: %v", upstream.ID, err)
 			}
@@ -75,7 +75,7 @@ func (m *multiUpstreamProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request
 
 // registerStaticResponseHandler registers a static response handler with at the given path.
 func (m *multiUpstreamProxy) registerStaticResponseHandler(upstream options.Upstream, writer pagewriter.Writer) error {
-	logger.Printf("mapping path %q => static response %d", upstream.Path, ptr.Deref(upstream.StaticCode, 200))
+	logger.Printf("mapping path %q => static response %d", upstream.Path, ptr.Deref(upstream.StaticCode, options.DefaultUpstreamStaticCode))
 	return m.registerHandler(upstream, newStaticResponseHandler(upstream.ID, upstream.StaticCode), writer)
 }
 

pkg/upstream/static.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr"
 )
@@ -13,7 +14,7 @@ import (
 // a static response code.
 func newStaticResponseHandler(upstream string, code *int) http.Handler {
 	return &staticResponseHandler{
-		code:     ptr.Deref(code, 200),
+		code:     ptr.Deref(code, options.DefaultUpstreamStaticCode),
 		upstream: upstream,
 	}
 }

pkg/validation/options.go

@@ -35,7 +35,7 @@ func Validate(o *options.Options) error {
 		transport := requests.DefaultTransport.(*http.Transport)
 		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow
 	} else if len(o.Providers[0].CAFiles) > 0 {
-		pool, err := util.GetCertPool(o.Providers[0].CAFiles, ptr.Deref(o.Providers[0].UseSystemTrustStore, false))
+		pool, err := util.GetCertPool(o.Providers[0].CAFiles, ptr.Deref(o.Providers[0].UseSystemTrustStore, options.DefaultUseSystemTrustStore))
 		if err == nil {
 			transport := requests.DefaultTransport.(*http.Transport)
 			transport.TLSClientConfig = &tls.Config{

pkg/validation/providers.go

@@ -65,7 +65,7 @@ func validateProvider(provider options.Provider, providerIDs map[string]struct{}
 // providerRequiresClientSecret checks if provider requires client secret to be set
 // or it can be omitted in favor of JWT token to authenticate oAuth client
 func providerRequiresClientSecret(provider options.Provider) bool {
-	if provider.Type == "entra-id" && ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, false) {
+	if provider.Type == "entra-id" && ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, options.DefaultMicrosoftEntraIDUseFederatedToken) {
 		return false
 	}
 
@@ -97,7 +97,7 @@ func validateGoogleConfig(provider options.Provider) []string {
 
 	hasAdminEmail := provider.GoogleConfig.AdminEmail != ""
 	hasSAJSON := provider.GoogleConfig.ServiceAccountJSON != ""
-	useADC := ptr.Deref(provider.GoogleConfig.UseApplicationDefaultCredentials, false)
+	useADC := ptr.Deref(provider.GoogleConfig.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials)
 
 	if !hasAdminEmail && !hasSAJSON && !useADC {
 		return msgs
@@ -124,7 +124,7 @@ func validateGoogleConfig(provider options.Provider) []string {
 func validateEntraConfig(provider options.Provider) []string {
 	msgs := []string{}
 
-	if ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, false) {
+	if ptr.Deref(provider.MicrosoftEntraIDConfig.FederatedTokenAuth, options.DefaultMicrosoftEntraIDUseFederatedToken) {
 		federatedTokenPath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
 
 		if federatedTokenPath == "" {

pkg/validation/upstreams.go

@@ -55,28 +55,28 @@ func validateUpstream(upstream options.Upstream, ids, paths map[string]struct{})
 func validateStaticUpstream(upstream options.Upstream) []string {
 	msgs := []string{}
 
-	if !ptr.Deref(upstream.Static, false) && upstream.StaticCode != nil {
+	if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) && upstream.StaticCode != nil {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has staticCode (%d), but is not a static upstream, set 'static' for a static response", upstream.ID, *upstream.StaticCode))
 	}
 
 	// Checks after this only make sense when the upstream is static
-	if !ptr.Deref(upstream.Static, false) {
+	if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) {
 		return msgs
 	}
 
 	if upstream.URI != "" {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has uri, but is a static upstream, this will have no effect.", upstream.ID))
 	}
-	if ptr.Deref(upstream.InsecureSkipTLSVerify, false) {
+	if ptr.Deref(upstream.InsecureSkipTLSVerify, options.DefaultUpsteamInsecureSkipTLSVerify) {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has insecureSkipTLSVerify, but is a static upstream, this will have no effect.", upstream.ID))
 	}
 	if ptr.Deref(upstream.FlushInterval, options.DefaultUpstreamFlushInterval) != options.DefaultUpstreamFlushInterval {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has flushInterval, but is a static upstream, this will have no effect.", upstream.ID))
 	}
-	if ptr.Deref(upstream.PassHostHeader, false) {
+	if ptr.Deref(upstream.PassHostHeader, options.DefaultUpstreamPassHostHeader) {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has passHostHeader, but is a static upstream, this will have no effect.", upstream.ID))
 	}
-	if ptr.Deref(upstream.ProxyWebSockets, false) {
+	if ptr.Deref(upstream.ProxyWebSockets, options.DefaultUpstreamProxyWebSockets) {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has proxyWebSockets, but is a static upstream, this will have no effect.", upstream.ID))
 	}
 
@@ -86,13 +86,13 @@ func validateStaticUpstream(upstream options.Upstream) []string {
 func validateUpstreamURI(upstream options.Upstream) []string {
 	msgs := []string{}
 
-	if !ptr.Deref(upstream.Static, false) && upstream.URI == "" {
+	if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) && upstream.URI == "" {
 		msgs = append(msgs, fmt.Sprintf("upstream %q has empty uri: uris are required for all non-static upstreams", upstream.ID))
 		return msgs
 	}
 
 	// Checks after this only make sense the upstream is not static
-	if !ptr.Deref(upstream.Static, false) {
+	if !ptr.Deref(upstream.Static, options.DefaultUpstreamStatic) {
 		return msgs
 	}
 

providers/adfs.go

@@ -51,7 +51,7 @@ func NewADFSProvider(p *ProviderData, opts options.Provider) *ADFSProvider {
 
 	return &ADFSProvider{
 		OIDCProvider:    oidcProvider,
-		skipScope:       ptr.Deref(opts.ADFSConfig.SkipScope, false),
+		skipScope:       ptr.Deref(opts.ADFSConfig.SkipScope, options.DefaultADFSSkipScope),
 		oidcEnrichFunc:  oidcProvider.EnrichSession,
 		oidcRefreshFunc: oidcProvider.RefreshSession,
 	}

providers/google.go

@@ -109,7 +109,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv
 		},
 	}
 
-	if opts.UseOrganizationID || opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, false) {
+	if opts.UseOrganizationID || opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) {
 		// reuse admin service to avoid multiple calls for token
 		var adminService *admin.Service
 
@@ -132,7 +132,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv
 			}
 		}
 
-		if opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, false) {
+		if opts.ServiceAccountJSON != "" || ptr.Deref(opts.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) {
 			if adminService == nil {
 				adminService = getAdminService(opts)
 			}
@@ -304,7 +304,7 @@ var possibleScopesList = [...]string{
 }
 
 func getOauth2TokenSource(ctx context.Context, opts options.GoogleOptions, scope string) oauth2.TokenSource {
-	if ptr.Deref(opts.UseApplicationDefaultCredentials, false) {
+	if ptr.Deref(opts.UseApplicationDefaultCredentials, options.DefaultUseApplicationDefaultCredentials) {
 		ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
 			TargetPrincipal: getTargetPrincipal(ctx, opts),
 			Scopes:          strings.Split(scope, " "),

providers/ms_entra_id.go

@@ -52,7 +52,7 @@ func NewMicrosoftEntraIDProvider(p *ProviderData, opts options.Provider) *Micros
 		OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig),
 
 		multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.AllowedTenants,
-		federatedTokenAuth:        ptr.Deref(opts.MicrosoftEntraIDConfig.FederatedTokenAuth, false),
+		federatedTokenAuth:        ptr.Deref(opts.MicrosoftEntraIDConfig.FederatedTokenAuth, options.DefaultMicrosoftEntraIDUseFederatedToken),
 		microsoftGraphURL:         microsoftGraphURL,
 	}
 }

providers/oidc.go

@@ -51,7 +51,7 @@ func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
 
 	return &OIDCProvider{
 		ProviderData: p,
-		SkipNonce:    ptr.Deref(opts.InsecureSkipNonce, false),
+		SkipNonce:    ptr.Deref(opts.InsecureSkipNonce, options.DefaultInsecureSkipNonce),
 	}
 }
 

providers/providers.go

@@ -99,8 +99,8 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 			IssuerURL:              providerConfig.OIDCConfig.IssuerURL,
 			JWKsURL:                providerConfig.OIDCConfig.JwksURL,
 			PublicKeyFiles:         providerConfig.OIDCConfig.PublicKeyFiles,
-			SkipDiscovery:          ptr.Deref(providerConfig.OIDCConfig.SkipDiscovery, false),
+			SkipDiscovery:          ptr.Deref(providerConfig.OIDCConfig.SkipDiscovery, options.DefaultSkipDiscovery),
-			SkipIssuerVerification: ptr.Deref(providerConfig.OIDCConfig.InsecureSkipIssuerVerification, false),
+			SkipIssuerVerification: ptr.Deref(providerConfig.OIDCConfig.InsecureSkipIssuerVerification, options.DefaultInsecureSkipIssuerVerification),
 		})
 		if err != nil {
 			return nil, fmt.Errorf("error building OIDC ProviderVerifier: %v", err)
@@ -144,10 +144,10 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 	}
 
 	// Make the OIDC options available to all providers that support it
-	p.AllowUnverifiedEmail = ptr.Deref(providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail, false)
+	p.AllowUnverifiedEmail = ptr.Deref(providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail, options.DefaultInsecureAllowUnverifiedEmail)
 	p.EmailClaim = providerConfig.OIDCConfig.EmailClaim
 	p.GroupsClaim = providerConfig.OIDCConfig.GroupsClaim
-	p.SkipClaimsFromProfileURL = ptr.Deref(providerConfig.SkipClaimsFromProfileURL, false)
+	p.SkipClaimsFromProfileURL = ptr.Deref(providerConfig.SkipClaimsFromProfileURL, options.DefaultSkipClaimsFromProfileURL)
 
 	// Set PKCE enabled or disabled based on discovery and force options
 	p.CodeChallengeMethod = parseCodeChallengeMethod(providerConfig)