[18.0][IMP]auth_oidc: verify self-signed certificates

auth_oidc/README.rst

@@ -1,7 +1,3 @@
-.. image:: https://odoo-community.org/readme-banner-image
-   :target: https://odoo-community.org/get-involved?utm_source=readme
-   :alt: Odoo Community Association
-
 =============================
 Authentication OpenID Connect
 =============================
@@ -17,7 +13,7 @@ Authentication OpenID Connect
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
@@ -38,6 +34,9 @@ using the authorization code flow or implicit flow.
 Note the implicit flow is not recommended because it exposes access
 tokens to the browser and in http logs.
 
+Note disabling certificate checks is a security risk and not
+recommended. Use it with caution.
+
 **Table of contents**
 
 .. contents::

auth_oidc/models/auth_oauth_provider.py

@@ -47,10 +47,22 @@ class AuthOauthProvider(models.Model):
     )
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
     end_session_endpoint = fields.Char(string="End Session URL")
+    ca_bundle = fields.Char(
+        string="CA bundle", help="Path to CA bundles to use for verification."
+    )
+    disable_certificate_check = fields.Boolean(
+        string="Disable certificate check",
+        help="Disable certificate check. This is a security risk. Use with caution.",
+    )
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_keys(self, kid):
-        r = requests.get(self.jwks_uri, timeout=10)
+        verify = True
+        if self.disable_certificate_check:
+            verify = False
+        elif self.ca_bundle:
+            verify = self.ca_bundle
+        r = requests.get(self.jwks_uri, timeout=10, verify=verify)
         r.raise_for_status()
         response = r.json()
         # the keys returned here should follow

auth_oidc/models/res_users.py

@@ -27,6 +27,11 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
         auth = None
         if oauth_provider.client_secret:
             auth = (oauth_provider.client_id, oauth_provider.client_secret)
+        verify = True
+        if oauth_provider.disable_certificate_check:
+            verify = False
+        elif oauth_provider.ca_bundle:
+            verify = oauth_provider.ca_bundle
         response = requests.post(
             oauth_provider.token_endpoint,
             data=dict(
@@ -38,6 +43,7 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
             ),
             auth=auth,
             timeout=10,
+            verify=verify,
         )
         response.raise_for_status()
         response_json = response.json()

auth_oidc/readme/DESCRIPTION.md

@@ -3,3 +3,6 @@ using the authorization code flow or implicit flow.
 
 Note the implicit flow is not recommended because it exposes access
 tokens to the browser and in http logs.
+
+Note disabling certificate checks is a security risk and not recommended.
+Use it with caution.

auth_oidc/static/description/index.html

@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
-<title>README.rst</title>
+<title>Authentication OpenID Connect</title>
 <style type="text/css">
 
 /*
@@ -360,25 +360,22 @@
 </style>
 </head>
 <body>
-<div class="document">
+<div class="document" id="authentication-openid-connect">
+<h1 class="title">Authentication OpenID Connect</h1>
 
-
-<a class="reference external image-reference" href="https://odoo-community.org/get-involved?utm_source=readme">
-<img alt="Odoo Community Association" src="https://odoo-community.org/readme-banner-image" />
-</a>
-<div class="section" id="authentication-openid-connect">
-<h1>Authentication OpenID Connect</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! source digest: sha256:d5e5a3781c5ed38c37634f69bdcfdce055fa97a302c49acd1ea9e25b4a610454
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/license-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access
 tokens to the browser and in http logs.</p>
+<p>Note disabling certificate checks is a security risk and not
+recommended. Use it with caution.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
@@ -413,15 +410,15 @@ <h1>Authentication OpenID Connect</h1>
 </ul>
 </div>
 <div class="section" id="installation">
-<h2><a class="toc-backref" href="#toc-entry-1">Installation</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
 <p>This module depends on the
 <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a> library, not to
 be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
 </div>
 <div class="section" id="configuration">
-<h2><a class="toc-backref" href="#toc-entry-2">Configuration</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
 <div class="section" id="setup-for-microsoft-azure">
-<h3><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <ol class="arabic simple">
 <li>configure a new web application in Azure with OpenID and code flow
@@ -457,7 +454,7 @@ <h3><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h3
 <p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
 </div>
 <div class="section" id="setup-for-keycloak">
-<h3><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <p>In Keycloak:</p>
 <ol class="arabic simple">
@@ -490,11 +487,11 @@ <h3><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h3>
 </div>
 </div>
 <div class="section" id="usage">
-<h2><a class="toc-backref" href="#toc-entry-5">Usage</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
 <p>On the login page, click on the authentication provider you configured.</p>
 </div>
 <div class="section" id="known-issues-roadmap">
-<h2><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <ul class="simple">
 <li>When going to the login screen, check for a existing token and do a
 direct login without the clicking on the SSO link</li>
@@ -503,88 +500,88 @@ <h2><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h2>
 </ul>
 </div>
 <div class="section" id="changelog">
-<h2><a class="toc-backref" href="#toc-entry-7">Changelog</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
 <div class="section" id="section-1">
-<h3><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h2>
 <ul class="simple">
 <li>Odoo 18 migration</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h3><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h2>
 <ul class="simple">
 <li>Odoo 17 migration</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h3><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h2>
 <ul class="simple">
 <li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-4">
-<h3><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h2>
 <ul class="simple">
 <li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-5">
-<h3><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h2>
 <ul class="simple">
 <li>Add AzureAD code flow provider</li>
 </ul>
 </div>
 <div class="section" id="section-6">
-<h3><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h2>
 <ul class="simple">
 <li>Odoo 16 migration</li>
 </ul>
 </div>
 <div class="section" id="section-7">
-<h3><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h2>
 <ul class="simple">
 <li>Odoo 15 migration</li>
 </ul>
 </div>
 <div class="section" id="section-8">
-<h3><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h2>
 <ul class="simple">
 <li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="section-9">
-<h3><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h2>
 <ul class="simple">
 <li>Odoo 13 migration, add authorization code flow.</li>
 </ul>
 </div>
 <div class="section" id="section-10">
-<h3><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h2><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
 <a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h2><a class="toc-backref" href="#toc-entry-19">Credits</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-19">Credits</a></h1>
 <div class="section" id="authors">
-<h3><a class="toc-backref" href="#toc-entry-20">Authors</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-20">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
 <li>ACSONE SA/NV</li>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h3><a class="toc-backref" href="#toc-entry-21">Contributors</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
@@ -593,7 +590,7 @@ <h3><a class="toc-backref" href="#toc-entry-21">Contributors</a></h3>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h3><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org">
 <img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
@@ -608,6 +605,5 @@ <h3><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h3>
 </div>
 </div>
 </div>
-</div>
 </body>
 </html>

auth_oidc/views/auth_oauth_provider.xml

@@ -20,6 +20,10 @@
                 <field name="jwks_uri" />
                 <field name="end_session_endpoint" />
             </field>
+            <field name="data_endpoint" position="after">
+                <field name="disable_certificate_check" />
+                <field name="ca_bundle" invisible="disable_certificate_check" />
+            </field>
         </field>
     </record>
 </odoo>