[IMP]auth_oidc: verify self-signed certificates

ChristophAbenthungCibex · ChristophAbenthungCibex · commit ad305775b9a1 · 2025-09-02T08:50:16.000+02:00
If the connection between odoo and an oauth provider uses self-signed certificates, a ssl error is thrown because the self-signed certificated cannot be verified.
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
@@ -46,10 +46,21 @@ class AuthOauthProvider(models.Model):
         string="Token URL", help="Required for OpenID Connect authorization code flow."
     )
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
+    self_signed = fields.Boolean(
+        string="Self-signed", help="Defines if the used certificate is self-signed."
+    )
+    self_signed_verify = fields.Char(
+        string="Self-signed verify path",
+        help="Path to the self-signed certificate for the verification process."
+        "Empty value disables the verification.",
+    )
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_keys(self, kid):
-        r = requests.get(self.jwks_uri, timeout=10)
+        verify = True
+        if self.self_signed:
+            verify = self.self_signed_verify or False
+        r = requests.get(self.jwks_uri, timeout=10, verify=verify)
         r.raise_for_status()
         response = r.json()
         # the keys returned here should follow
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
@@ -27,6 +27,9 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
         auth = None
         if oauth_provider.client_secret:
             auth = (oauth_provider.client_id, oauth_provider.client_secret)
+        verify = True
+        if oauth_provider.self_signed:
+            verify = oauth_provider.self_signed_verify or False
         response = requests.post(
             oauth_provider.token_endpoint,
             data=dict(
@@ -38,6 +41,7 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
             ),
             auth=auth,
             timeout=10,
+            verify=verify,
         )
         response.raise_for_status()
         response_json = response.json()
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
@@ -19,6 +19,10 @@
                 <field name="token_endpoint" />
                 <field name="jwks_uri" />
             </field>
+            <field name="data_endpoint" position="after">
+                <field name="self_signed" />
+                <field name="self_signed_verify" invisible="not self_signed" />
+            </field>
         </field>
     </record>
 </odoo>
