Skip to content

Commit d1f543c

Browse files
c00kiemon5terc00kiemon5ter
committed
Add verify_ssl option to OIDC backend
Signed-off-by: Ivan Kanakarakis <[email protected]>
1 parent d0f5552 commit d1f543c

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

example/plugins/backends/openid_backend.yaml.example

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ config:
44
provider_metadata:
55
issuer: https://op.example.com
66
client:
7+
verify_ssl: yes
78
auth_req_params:
89
response_type: code
910
scope: [openid, profile, email, address, phone]

src/satosa/backends/openid_connect.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,11 @@ def __init__(self, auth_callback_func, internal_attributes, config, base_url, na
5252
super().__init__(auth_callback_func, internal_attributes, base_url, name)
5353
self.auth_callback_func = auth_callback_func
5454
self.config = config
55-
self.client = _create_client(config["provider_metadata"], config["client"]["client_metadata"])
55+
self.client = _create_client(
56+
config["provider_metadata"],
57+
config["client"]["client_metadata"],
58+
config["client"].get("verify_ssl", True),
59+
)
5660
if "scope" not in config["client"]["auth_req_params"]:
5761
config["auth_req_params"]["scope"] = "openid"
5862
if "response_type" not in config["client"]["auth_req_params"]:
@@ -230,7 +234,7 @@ def get_metadata_desc(self):
230234
return get_metadata_desc_for_oauth_backend(self.config["provider_metadata"]["issuer"], self.config)
231235

232236

233-
def _create_client(provider_metadata, client_metadata):
237+
def _create_client(provider_metadata, client_metadata, verify_ssl=True):
234238
"""
235239
Create a pyoidc client instance.
236240
:param provider_metadata: provider configuration information
@@ -240,7 +244,9 @@ def _create_client(provider_metadata, client_metadata):
240244
:return: client instance to use for communicating with the configured provider
241245
:rtype: oic.oic.Client
242246
"""
243-
client = oic.Client(client_authn_method=CLIENT_AUTHN_METHOD)
247+
client = oic.Client(
248+
client_authn_method=CLIENT_AUTHN_METHOD, verify_ssl=verify_ssl
249+
)
244250

245251
# Provider configuration information
246252
if "authorization_endpoint" in provider_metadata:

0 commit comments

Comments
 (0)