feat: possibility to disable tls verification (#19)

ricklambrechts · web-flow · commit 8980ab80ee03 · 2023-07-03T12:47:04.000+02:00
* feat: possibility to disable tls verification

* chore: update readme
diff --git a/README.md b/README.md
@@ -72,6 +72,9 @@ Replace `YourCustomLoginResponse` with the class name of your custom implementat
 
 Make sure to implement the `LoginResponseHandlerInterface` in your custom response handler class to ensure compatibility.
 
+### Disable TLS Certificate Verification
+By default, the package verifies the TLS certificate when making requests to the issuer. If you want to disable TLS certificate verification, you can set the `OIDC_TLS_VERIFY` variable to false in your environment configuration.
+
 ## Contributing
 If you encounter any issues or have suggestions for improvements, please feel free to open an issue or submit a pull request on the GitHub repository of this package.
 
diff --git a/config/oidc.php b/config/oidc.php
@@ -74,5 +74,12 @@
          * The prefix of the login route.
          */
         'prefix' => '',
-    ]
+    ],
+
+    /**
+     * TLS Verify
+     * Can be disabled for local development.
+     * Is used in OpenIDConfigurationLoader and in the ServiceProvider for OpenIDConnectClient.
+     */
+    'tls_verify' => env('OIDC_TLS_VERIFY', true),
 ];
diff --git a/src/OpenIDConfiguration/OpenIDConfigurationLoader.php b/src/OpenIDConfiguration/OpenIDConfigurationLoader.php
@@ -13,6 +13,7 @@ public function __construct(
         protected string $issuer,
         protected ?Repository $cacheStore = null,
         protected int $cacheTtl = 3600,
+        protected bool $tlsVerify = true,
     ) {
     }
 
@@ -37,7 +38,12 @@ protected function getConfigurationFromIssuer(): OpenIDConfiguration
     {
         $url = $this->getOpenIDConfigurationUrl();
 
-        $response = Http::get($url);
+        $pendingRequest = Http::baseUrl($url);
+        if (!$this->tlsVerify) {
+            $pendingRequest->withoutVerifying();
+        }
+        $response = $pendingRequest->get($url);
+
         if (!$response->successful()) {
             throw new OpenIDConfigurationLoaderException(
                 message: 'Could not load OpenID configuration from issuer',
diff --git a/src/OpenIDConnectServiceProvider.php b/src/OpenIDConnectServiceProvider.php
@@ -86,6 +86,7 @@ protected function registerConfigurationLoader(): void
                 $app['config']->get('oidc.issuer'),
                 $app['cache']->store($app['config']->get('oidc.configuration_cache.store')),
                 $app['config']->get('oidc.configuration_cache.ttl'),
+                $app['config']->get('oidc.tls_verify') === true,
             );
         });
     }
@@ -109,6 +110,11 @@ protected function registerClient(): void
             if (is_array($additionalScopes) && count($additionalScopes) > 0) {
                 $oidc->addScope($additionalScopes);
             }
+
+            if ($app['config']->get('oidc.tls_verify') !== true) {
+                $oidc->setVerifyHost(false);
+                $oidc->setVerifyPeer(false);
+            }
             return $oidc;
         });
     }

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ protected function registerConfigurationLoader(): void`
`86`	`86`	`$app['config']->get('oidc.issuer'),`
`87`	`87`	`$app['cache']->store($app['config']->get('oidc.configuration_cache.store')),`
`88`	`88`	`$app['config']->get('oidc.configuration_cache.ttl'),`
	`89`	`+ $app['config']->get('oidc.tls_verify') === true,`
`89`	`90`	`);`
`90`	`91`	`});`
`91`	`92`	`}`
`@@ -109,6 +110,11 @@ protected function registerClient(): void`
`109`	`110`	`if (is_array($additionalScopes) && count($additionalScopes) > 0) {`
`110`	`111`	`$oidc->addScope($additionalScopes);`
`111`	`112`	`}`
	`113`	`+`
	`114`	`+ if ($app['config']->get('oidc.tls_verify') !== true) {`
	`115`	`+ $oidc->setVerifyHost(false);`
	`116`	`+ $oidc->setVerifyPeer(false);`
	`117`	`+ }`
`112`	`118`	`return $oidc;`
`113`	`119`	`});`
`114`	`120`	`}`