Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-10-31 02:03:35 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add new OIDC TLS CA Certfile option (#3496)

Browse Source
This commit is contained in:
Carter
2024-04-19 05:36:03 -05:00
committed by GitHub
parent c6f5b62ad0
commit 1a385e941c
3 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/docs/documentation/getting-started/installation/backend-config.md
View File

@@ -99,6 +99,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc.md)
| OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked | | OIDC_REMEMBER_ME | False | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |
| OIDC_SIGNING_ALGORITHM | RS256 | The algorithm used to sign the id token (examples: RS256, HS256) | | OIDC_SIGNING_ALGORITHM | RS256 | The algorithm used to sign the id token (examples: RS256, HS256) |
| OIDC_USER_CLAIM | email | Optional: 'email', 'preferred_username' | | OIDC_USER_CLAIM | email | Optional: 'email', 'preferred_username' |
| OIDC_TLS_CACERTFILE | None | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) |
### Themeing ### Themeing

13
mealie/core/security/providers/openid_provider.py
View File

@@ -119,20 +119,27 @@ class OpenIDProvider(AuthProvider[OIDCRequest]):
if not (settings.OIDC_READY and settings.OIDC_CONFIGURATION_URL): if not (settings.OIDC_READY and settings.OIDC_CONFIGURATION_URL):
return None return None
configuration = None
with requests.get(settings.OIDC_CONFIGURATION_URL, timeout=5) as config_response: session = requests.Session()
if settings.OIDC_TLS_CACERTFILE:
session.verify = settings.OIDC_TLS_CACERTFILE
config_response = session.get(settings.OIDC_CONFIGURATION_URL, timeout=5)
config_response.raise_for_status() config_response.raise_for_status()
configuration = config_response.json() configuration = config_response.json()
if not configuration: if not configuration:
OpenIDProvider._logger.warning("[OIDC] Unable to fetch configuration from the OIDC_CONFIGURATION_URL") OpenIDProvider._logger.warning("[OIDC] Unable to fetch configuration from the OIDC_CONFIGURATION_URL")
session.close()
return None return None
jwks_uri = configuration.get("jwks_uri", None) jwks_uri = configuration.get("jwks_uri", None)
if not jwks_uri: if not jwks_uri:
OpenIDProvider._logger.warning("[OIDC] Unable to find the jwks_uri from the OIDC_CONFIGURATION_URL") OpenIDProvider._logger.warning("[OIDC] Unable to find the jwks_uri from the OIDC_CONFIGURATION_URL")
session.close()
return None return None
with requests.get(jwks_uri, timeout=5) as response: response = session.get(jwks_uri, timeout=5)
response.raise_for_status() response.raise_for_status()
session.close()
return JsonWebKey.import_key_set(response.json()) return JsonWebKey.import_key_set(response.json())

1
mealie/core/settings/settings.py
View File

@@ -192,6 +192,7 @@ class AppSettings(BaseSettings):
OIDC_REMEMBER_ME: bool = False OIDC_REMEMBER_ME: bool = False
OIDC_SIGNING_ALGORITHM: str = "RS256" OIDC_SIGNING_ALGORITHM: str = "RS256"
OIDC_USER_CLAIM: str = "email" OIDC_USER_CLAIM: str = "email"
OIDC_TLS_CACERTFILE: str | None = None
@property @property
def OIDC_READY(self) -> bool: def OIDC_READY(self) -> bool: