Support custom CAs in oauth login

[gbaso]

Expected Behavior

The internal rest clients should trust custom CAs.

Current Behavior

The internal clients only support CAs in the jdk truststore.

Context

In corporate environments sometime the identity provider is part of the corporate network and has an HTTPS certificate that is signed by the corporate CA.

Applications with oauth/oidc login perform several requests to the IdP, for retrieving metadata or for exchanging tokens. This is done with internal clients, for example in ClientRegistrations or in AbstractRestClientOAuth2AccessTokenResponseClient, that are not configurable. While the latter allows to replace the RestClient, at the cost of having to reconfigure the message converters and status handler, the former does not.

The only avenue then is to add your custom CAs to the jdk truststore, usually done with the ca-certificates buildpack. Unfortunately, loading CAs at runtime doesn't seem to work in native image.

It would be useful to be able to specify ssl bundles when configuring registrations via properties, and for those bundles to be applied to the internal clients.