OAuth: Separate TLS client auth and CA config

It should be specify to either use TLS client authentication or use a
user-supplied CA; previously you had to enable client authentication to
use a custom CA.

pkg/api/login_oauth.go

@@ -78,16 +78,25 @@ func OAuthLogin(ctx *middleware.Context) {
 	}
 
 	// handle call back
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
+		},
+	}
+	sslcli := &http.Client{
+		Transport: tr,
+	}
 
-	// initialize oauth2 context
-	oauthCtx := oauth2.NoContext
 	if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" || setting.OAuthService.OAuthInfos[name].TlsClientKey != "" {
 		cert, err := tls.LoadX509KeyPair(setting.OAuthService.OAuthInfos[name].TlsClientCert, setting.OAuthService.OAuthInfos[name].TlsClientKey)
 		if err != nil {
 			log.Fatal(err)
 		}
 
-		// Load CA cert
+		tr.TLSClientConfig.Certificates = append(tr.TLSClientConfig.Certificates, cert)
+	}
+
+	if setting.OAuthService.OAuthInfos[name].TlsClientCa != "" {
 		caCert, err := ioutil.ReadFile(setting.OAuthService.OAuthInfos[name].TlsClientCa)
 		if err != nil {
 			log.Fatal(err)
@@ -95,19 +104,11 @@ func OAuthLogin(ctx *middleware.Context) {
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)
 
-		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
-				Certificates:       []tls.Certificate{cert},
-				RootCAs:            caCertPool,
-			},
-		}
-		sslcli := &http.Client{Transport: tr}
-
-		oauthCtx = context.Background()
-		oauthCtx = context.WithValue(oauthCtx, oauth2.HTTPClient, sslcli)
+		tr.TLSClientConfig.RootCAs = caCertPool
 	}
 
+	oauthCtx := context.WithValue(context.Background(), oauth2.HTTPClient, sslcli)
+
 	// get token from provider
 	token, err := connect.Exchange(oauthCtx, code)
 	if err != nil {