search

jjbohn / omniauth-openid-connect

MIT License
62 stars 126 forks source link

Option to disable SSL verification #64

Open mikeover opened 8 years ago

mikeover commented 8 years ago

Omniauth allows the disabling of SSL verification with something like:

:client_options => { :ssl => { :verify => !Rails.env.development? } }

Is there anyway to utilize this with OpenID Connect gem? I attempted to add the ssl key in the client_options hash but it didn't seem to have any effect.

cmrd-senya commented 8 years ago

Do you need to connect over untrusted SSL or do you need to connect over plain unencrypted HTTP? I wanted to do the latter, and I had to patch the gem the following way:

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index e4705c9..c915b61 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -16,7 +16,7 @@ module OmniAuth
         redirect_uri: nil,
         scheme: "https",
         host: nil,
-        port: 443,
+        port: nil,
         authorization_endpoint: "/authorize",
         token_endpoint: "/token",
         userinfo_endpoint: "/userinfo",
@@ -82,6 +82,11 @@ module OmniAuth
       end

       def request_phase
+        if client_options.scheme == "http"
+          WebFinger.url_builder = URI::HTTP
+          SWD.url_builder = URI::HTTP
+        end
+
         options.issuer = issuer if options.issuer.blank?
         discover! if options.discovery
         redirect authorize_uri

With these changes authentication proceeds over HTTP properly.

mikeover commented 8 years ago

I was looking for untrusted SSL so I can ignore bad or untrusted certificates, etc.

cmrd-senya commented 8 years ago

Then I guess you have to patch lib/omniauth/strategies/openid_connect.rb yourself. As far as I can see there is no support of SSL disable in the gem currently.

mikeover commented 8 years ago

Thanks, would you mind taking a look at #65 also?

rdingwell commented 8 years ago

If you are talking about ssl verification I think you should be able to take care of this with out patching the strategy. The OpenidConnect lib has a static method setting up configuration blocks for the http_client. I use it to deal with the SSL inspection that our internal network performs so I have to add additional ca trust certs for it to deal with like this.

OpenIDConnect.http_config do |client| client.ssl_config.add_trust_ca(ENV['CA_TRUST_CERTIFICATE']) if ENV['CA_TRUST_CERTIFICATE'] end

The ssl_config object I believe also has a method for setting the verification mode so you should be able to just wholesale turn it off.