Issue by bcwaldon
Tuesday Nov 11, 2014 at 21:16 GMT
Originally opened as https://github.com/coreos-inc/auth/issues/26

TLS is absolutely necessary to protect the transmission of client secrets. However, there are two primary use-cases for not deploying authd with TLS:

1. development - it can be a pain to deploy services with TLS in dev environments
2. load-balancer - it is common to terminate SSL/TLS at a load balancer

Together, these use-cases add an interesting requirement: the ability to advertise HTTP vs HTTPS in the ProviderConfig. If TLS is completely off (the development use-case), then the ProviderConfig should advertise its endpoints using HTTP. If TLS is in use between clients and the load balancer, the ProviderConfig should still advertise HTTPS, but authd actually has nothing to do with TLS.