From 0dcddb9dba5cdada367036c6b2222dbf8ec75d2d Mon Sep 17 00:00:00 2001
From: "Scott G. Miller" <smiller@hashicorp.com>
Date: Mon, 5 Aug 2024 12:35:03 -0500
Subject: [PATCH] setup the CA roots in the roundtripper if present

---
 path_config.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/path_config.go b/path_config.go
index 52d43525..d3c1e869 100644
--- a/path_config.go
+++ b/path_config.go
@@ -366,7 +366,7 @@ func (b *jwtAuthBackend) createProvider(config *jwtConfig) (*oidc.Provider, erro
 		supportedSigAlgs = []oidc.Alg{oidc.RS256}
 	}
 
-	opts := []oidc.Option{oidc.WithProviderCA(config.OIDCDiscoveryCAPEM)}
+	var opts []oidc.Option
 	if len(config.UnsupportedCriticalCertExtensions) > 0 {
 		var oids []asn1.ObjectIdentifier
 		for _, v := range config.UnsupportedCriticalCertExtensions {
@@ -397,6 +397,8 @@ func (b *jwtAuthBackend) createProvider(config *jwtConfig) (*oidc.Provider, erro
 
 		}
 		opts = append(opts, oidc.WithRoundTripper(ietripper))
+	} else if config.OIDCDiscoveryCAPEM != "" {
+		opts = append(opts, oidc.WithProviderCA(config.OIDCDiscoveryCAPEM))
 	}
 	c, err := oidc.NewConfig(config.OIDCDiscoveryURL, config.OIDCClientID,
 		oidc.ClientSecret(config.OIDCClientSecret), supportedSigAlgs, []string{},