authenticate: fix authenticate_internal_service_url for all in one (#4003)

proxy/state.go

@@ -9,7 +9,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
-	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
@@ -49,11 +48,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 
 	state := new(proxyState)
 
-	authenticateURL, err := cfg.Options.GetAuthenticateURL()
-	if err != nil {
-		return nil, err
-	}
-
 	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
@@ -64,21 +58,10 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 		return nil, err
 	}
 
-	jwksURL := authenticateURL.ResolveReference(&url.URL{
-		Path: "/.well-known/pomerium/jwks.json",
-	}).String()
-	transport := httputil.GetInsecureTransport()
-	ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
+	state.authenticateKeyFetcher, err = cfg.GetAuthenticateKeyFetcher()
 	if err != nil {
-		return nil, fmt.Errorf("proxy: error determining if authenticate service will have a certificate name: %w", err)
+		return nil, fmt.Errorf("authorize: get authenticate JWKS key fetcher: %w", err)
 	}
-	if ok {
-		transport, err = config.GetTLSClientTransport(cfg)
-		if err != nil {
-			return nil, fmt.Errorf("proxy: get tls client config: %w", err)
-		}
-	}
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
 
 	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
 	if err != nil {