From 02e4c85a42b53b7cafbbcbc02e697299f960fad9 Mon Sep 17 00:00:00 2001
From: Christoph Abenthung <christoph.abenthung@cibex.net>
Date: Tue, 2 Sep 2025 08:50:16 +0200
Subject: [PATCH] [IMP]auth_oidc: verify self-signed certificates

If the connection between odoo and an oauth provider uses self-signed certificates, a ssl error is thrown because the self-signed certificated cannot be verified.
---
 auth_oidc/models/auth_oauth_provider.py | 15 ++++++++++++++-
 auth_oidc/models/res_users.py           |  4 ++++
 auth_oidc/views/auth_oauth_provider.xml |  4 ++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index ac498a7cdb..cf206eff7f 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -46,10 +46,23 @@ class AuthOauthProvider(models.Model):
         string="Token URL", help="Required for OpenID Connect authorization code flow."
     )
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
+    self_signed = fields.Boolean(
+        string="Self-signed",
+        help="Disable certificate checks for server to server token requests "
+        "when using self signed certificates.",
+    )
+    self_signed_verify = fields.Char(
+        string="Self-signed verify path",
+        help="Path to the self-signed certificate for the verification process. "
+        "Empty value disables the verification.",
+    )
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_keys(self, kid):
-        r = requests.get(self.jwks_uri, timeout=10)
+        verify = True
+        if self.self_signed:
+            verify = self.self_signed_verify or False
+        r = requests.get(self.jwks_uri, timeout=10, verify=verify)
         r.raise_for_status()
         response = r.json()
         # the keys returned here should follow
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 1684480fa4..2338d737da 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -27,6 +27,9 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
         auth = None
         if oauth_provider.client_secret:
             auth = (oauth_provider.client_id, oauth_provider.client_secret)
+        verify = True
+        if oauth_provider.self_signed:
+            verify = oauth_provider.self_signed_verify or False
         response = requests.post(
             oauth_provider.token_endpoint,
             data=dict(
@@ -38,6 +41,7 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
             ),
             auth=auth,
             timeout=10,
+            verify=verify,
         )
         response.raise_for_status()
         response_json = response.json()
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
index 90c931b417..2d7b9c1c03 100644
--- a/auth_oidc/views/auth_oauth_provider.xml
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -19,6 +19,10 @@
                 <field name="token_endpoint" />
                 <field name="jwks_uri" />
             </field>
+            <field name="data_endpoint" position="after">
+                <field name="self_signed" />
+                <field name="self_signed_verify" invisible="not self_signed" />
+            </field>
         </field>
     </record>
 </odoo>