Add option to disable SSL verification for OIDC (#684)

* Add setting OIDC_VERIFY_SSL

Passtrough the setting OIDC_VERIFY_SSL in order to allow self-signed certificates/custom certificate authority for the OIDC provider

* Update Options.md to include the new setting OIDC_VERIFY_SSL

* add default setting test

---------

Co-authored-by: Sascha Ißbrücker <sascha.issbruecker@gmail.com>
This commit is contained in:
Jan Hendrik Lübke 2024-04-07 16:33:29 +02:00 committed by GitHub
parent f7bd6ccb31
commit 5d8fdebb7c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 14 additions and 0 deletions

View file

@ -49,3 +49,15 @@ class OidcSupportTest(TestCase):
base_settings.AUTHENTICATION_BACKENDS, base_settings.AUTHENTICATION_BACKENDS,
) )
del os.environ["LD_ENABLE_OIDC"] # Remove the temporary environment variable del os.environ["LD_ENABLE_OIDC"] # Remove the temporary environment variable
def test_default_settings(self):
os.environ["LD_ENABLE_OIDC"] = "True"
base_settings = importlib.import_module("siteroot.settings.base")
importlib.reload(base_settings)
self.assertEqual(
True,
base_settings.OIDC_VERIFY_SSL,
)
del os.environ["LD_ENABLE_OIDC"]

View file

@ -118,6 +118,7 @@ The following options can be configured:
- `OIDC_RP_CLIENT_SECRET` - The client secret of the application. - `OIDC_RP_CLIENT_SECRET` - The client secret of the application.
- `OIDC_RP_SIGN_ALGO` - The algorithm the OIDC provider uses to sign ID tokens. Default is `RS256`. - `OIDC_RP_SIGN_ALGO` - The algorithm the OIDC provider uses to sign ID tokens. Default is `RS256`.
- `OIDC_USE_PKCE` - Whether to use PKCE for the OIDC flow. Default is `True`. - `OIDC_USE_PKCE` - Whether to use PKCE for the OIDC flow. Default is `True`.
- `OIDC_VERIFY_SSL` - Whether to verify the SSL certificate of the OIDC provider. Set to `False` if using self-signed certificates or custom certificate authority. Default is `True`.
<details> <details>

View file

@ -212,6 +212,7 @@ if LD_ENABLE_OIDC:
OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET") OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256") OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256")
OIDC_USE_PKCE = os.getenv("OIDC_USE_PKCE", True) in (True, "True", "1") OIDC_USE_PKCE = os.getenv("OIDC_USE_PKCE", True) in (True, "True", "1")
OIDC_VERIFY_SSL = os.getenv("OIDC_VERIFY_SSL", True) in (True, "True", "1")
# Enable authentication proxy support if configured # Enable authentication proxy support if configured
LD_ENABLE_AUTH_PROXY = os.getenv("LD_ENABLE_AUTH_PROXY", False) in (True, "True", "1") LD_ENABLE_AUTH_PROXY = os.getenv("LD_ENABLE_AUTH_PROXY", False) in (True, "True", "1")