From 7cf69b27fa93923db4c3bc6104d21235f8d77712 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ra=C3=BAl=20Sampedro?=
 <5142014+rsrdesarrollo@users.noreply.github.com>
Date: Tue, 11 Nov 2025 21:08:08 +0100
Subject: [PATCH] fix: NewRemoteKeySet is not using DefaultHTTPClient (#3197)

* fix: NewRemoteKeySet is not using DefaultHTTPClient

Signed-off-by: Jan Larwig <jan@larwig.com>

* doc: add changelog entry

Signed-off-by: Jan Larwig <jan@larwig.com>

---------

Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
---
 CHANGELOG.md                            | 2 ++
 pkg/providers/oidc/provider_verifier.go | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13ef6807d..2aa2ef46b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ## Changes since v7.13.0
 
+- [#3197](https://github.com/oauth2-proxy/oauth2-proxy/pull/3197) fix: NewRemoteKeySet is not using DefaultHTTPClient (@rsrdesarrollo / @tuunit)
+
 # V7.13.0
 
 ## Release Highlights
diff --git a/pkg/providers/oidc/provider_verifier.go b/pkg/providers/oidc/provider_verifier.go
index b6b9a9704..eac80a8c1 100644
--- a/pkg/providers/oidc/provider_verifier.go
+++ b/pkg/providers/oidc/provider_verifier.go
@@ -10,6 +10,7 @@ import (
 	"os"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 	k8serrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
@@ -127,6 +128,8 @@ func NewProviderVerifier(ctx context.Context, opts ProviderVerifierOptions) (Pro
 type verifierBuilder func(*oidc.Config) *oidc.IDTokenVerifier
 
 func getVerifierBuilder(ctx context.Context, opts ProviderVerifierOptions) (verifierBuilder, DiscoveryProvider, error) {
+	ctx = oidc.ClientContext(ctx, requests.DefaultHTTPClient)
+
 	if opts.SkipDiscovery {
 		var keySet oidc.KeySet
 		var err error