From 5d8fdebb7c4918c3face9478543ccf86b2db47ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Hendrik=20L=C3=BCbke?= <35396725+akaSyntaax@users.noreply.github.com> Date: Sun, 7 Apr 2024 16:33:29 +0200 Subject: [PATCH] Add option to disable SSL verification for OIDC (#684) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add setting OIDC_VERIFY_SSL Passtrough the setting OIDC_VERIFY_SSL in order to allow self-signed certificates/custom certificate authority for the OIDC provider * Update Options.md to include the new setting OIDC_VERIFY_SSL * add default setting test --------- Co-authored-by: Sascha Ißbrücker --- bookmarks/tests/test_oidc_support.py | 12 ++++++++++++ docs/Options.md | 1 + siteroot/settings/base.py | 1 + 3 files changed, 14 insertions(+) diff --git a/bookmarks/tests/test_oidc_support.py b/bookmarks/tests/test_oidc_support.py index 0c937d2..b3525a5 100644 --- a/bookmarks/tests/test_oidc_support.py +++ b/bookmarks/tests/test_oidc_support.py @@ -49,3 +49,15 @@ class OidcSupportTest(TestCase): base_settings.AUTHENTICATION_BACKENDS, ) del os.environ["LD_ENABLE_OIDC"] # Remove the temporary environment variable + + def test_default_settings(self): + os.environ["LD_ENABLE_OIDC"] = "True" + base_settings = importlib.import_module("siteroot.settings.base") + importlib.reload(base_settings) + + self.assertEqual( + True, + base_settings.OIDC_VERIFY_SSL, + ) + + del os.environ["LD_ENABLE_OIDC"] diff --git a/docs/Options.md b/docs/Options.md index 06a6bb0..9d2bb63 100644 --- a/docs/Options.md +++ b/docs/Options.md @@ -118,6 +118,7 @@ The following options can be configured: - `OIDC_RP_CLIENT_SECRET` - The client secret of the application. - `OIDC_RP_SIGN_ALGO` - The algorithm the OIDC provider uses to sign ID tokens. Default is `RS256`. - `OIDC_USE_PKCE` - Whether to use PKCE for the OIDC flow. Default is `True`. +- `OIDC_VERIFY_SSL` - Whether to verify the SSL certificate of the OIDC provider. Set to `False` if using self-signed certificates or custom certificate authority. Default is `True`.
diff --git a/siteroot/settings/base.py b/siteroot/settings/base.py index b9f2d7f..b0116a6 100644 --- a/siteroot/settings/base.py +++ b/siteroot/settings/base.py @@ -212,6 +212,7 @@ if LD_ENABLE_OIDC: OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET") OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256") OIDC_USE_PKCE = os.getenv("OIDC_USE_PKCE", True) in (True, "True", "1") + OIDC_VERIFY_SSL = os.getenv("OIDC_VERIFY_SSL", True) in (True, "True", "1") # Enable authentication proxy support if configured LD_ENABLE_AUTH_PROXY = os.getenv("LD_ENABLE_AUTH_PROXY", False) in (True, "True", "1")