Skip to content

[18.0][IMP]auth_oidc: verify self-signed certificates #837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChristophAbenthungCibex wants to merge 1 commit into
base: 18.0
Choose a base branch
from
Open

[18.0][IMP]auth_oidc: verify self-signed certificates #837

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion auth_oidc/models/auth_oauth_provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,23 @@ class AuthOauthProvider(models.Model):
string="Token URL", help="Required for OpenID Connect authorization code flow."
)
jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
self_signed = fields.Boolean(
string="Self-signed",
help="Disable certificate checks for server to server token requests "
"when using self signed certificates.",
)
Copy link
Member

@sbidoul sbidoul Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this does not make it sufficiently clear that this enables an insecure option. Could we name this field, say, "insecure" like curl does?

self_signed_verify = fields.Char(
string="Self-signed verify path",
help="Path to the self-signed certificate for the verification process. "
"Empty value disables the verification.",
)
Copy link
Member

@sbidoul sbidoul Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would name this field ca_bundle, but I have a strong preference to let that be configured at the system level, or with the REQUESTS_CA_BUNDLE environment variable.

Copy link
Contributor

@ap-wtioit ap-wtioit Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me the benefit here would be that this is only for one OAuth server connection while REQUESTS_CA_BUNDLE is for all requests from Odoo to other servers.


@tools.ormcache("self.jwks_uri", "kid")
def _get_keys(self, kid):
r = requests.get(self.jwks_uri, timeout=10)
verify = True
if self.self_signed:
verify = self.self_signed_verify or False
r = requests.get(self.jwks_uri, timeout=10, verify=verify)
r.raise_for_status()
response = r.json()
# the keys returned here should follow
Expand Down
4 changes: 4 additions & 0 deletions auth_oidc/models/res_users.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
auth = None
if oauth_provider.client_secret:
auth = (oauth_provider.client_id, oauth_provider.client_secret)
verify = True
if oauth_provider.self_signed:
verify = oauth_provider.self_signed_verify or False
response = requests.post(
oauth_provider.token_endpoint,
data=dict(
Expand All @@ -38,6 +41,7 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
),
auth=auth,
timeout=10,
verify=verify,
)
response.raise_for_status()
response_json = response.json()
Expand Down
4 changes: 4 additions & 0 deletions auth_oidc/views/auth_oauth_provider.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@
<field name="token_endpoint" />
<field name="jwks_uri" />
</field>
<field name="data_endpoint" position="after">
<field name="self_signed" />
<field name="self_signed_verify" invisible="not self_signed" />
</field>
</field>
</record>
</odoo>