chore: option to skip tls cert validation for oidc provider

Author: muety

README.md

@@ -204,6 +204,7 @@ You can specify configuration options either via a config file (default: `config
 | `security.cookie_max_age` /<br> `WAKAPI_COOKIE_MAX_AGE`                                     | `172800`                                         | Lifetime of authentication cookies in seconds or `0` to use [Session](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Define_the_lifetime_of_a_cookie) cookies        |
 | `security.allow_signup` /<br> `WAKAPI_ALLOW_SIGNUP`                                         | `true`                                           | Whether to enable local user registration                                                                                                                                       |
 | `security.oidc_allow_signup` /<br> `WAKAPI_OIDC_ALLOW_SIGNUP`                               | `true`                                           | Whether to enable user registration via OIDC                                                                                                                                    |
+| `security.oidc_insecure` /<br> `WAKAPI_OIDC_INSECURE`                                       | `false`                                          | Skip TLS certificate validation for OIDC provider (only for debugging purposes!)                                                                                                |
 | `security.signup_captcha` /<br> `WAKAPI_SIGNUP_CAPTCHA`                                     | `false`                                          | Whether the registration form requires solving a CAPTCHA                                                                                                                        |
 | `security.invite_codes` /<br> `WAKAPI_INVITE_CODES`                                         | `true`                                           | Whether to enable registration by invite codes. Primarily useful if registration is disabled (invite-only server).                                                              |
 | `security.disable_frontpage` /<br> `WAKAPI_DISABLE_FRONTPAGE`                               | `false`                                          | Whether to disable landing page (useful for personal instances)                                                                                                                 |

config.default.yml

@@ -89,6 +89,7 @@ security:
   cookie_max_age: 172800
   allow_signup: true                    # whether to allow new user creation at all
   oidc_allow_signup: true               # allow registration of new users from oidc
+  oidc_insecure: false                   # skip tls certificate validation for oidc provider
   disable_local_auth: false             # disable login via local credentials (username and password) to enforce OIDC provider login
   disable_webauthn: true                # disable login via webauthn (security keys, biometrics, etc.)
   signup_captcha: false

config/config.go

@@ -127,6 +127,7 @@ type appConfig struct {
 type securityConfig struct {
 	AllowSignup      bool `yaml:"allow_signup" default:"true" env:"WAKAPI_ALLOW_SIGNUP"`
 	OidcAllowSignup  bool `yaml:"oidc_allow_signup" default:"true" env:"WAKAPI_OIDC_ALLOW_SIGNUP"`
+	OidcInsecure     bool `yaml:"oidc_insecure" default:"false" env:"WAKAPI_OIDC_INSECURE"`
 	DisableLocalAuth bool `yaml:"disable_local_auth" default:"false" env:"WAKAPI_DISABLE_LOCAL_AUTH"`
 	DisableWebAuthn  bool `yaml:"disable_webauthn" default:"true" env:"WAKAPI_DISABLE_WEBAUTHN"`
 	SignupCaptcha    bool `yaml:"signup_captcha" default:"false" env:"WAKAPI_SIGNUP_CAPTCHA"`

config/oidc.go

@@ -2,7 +2,9 @@ package config
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -74,10 +76,21 @@ func (token *IdTokenPayload) getClaimValue(claimName string) string {
 
 var oidcProviders = make(map[string]*OidcProvider)
 
+func GetOidcContext(ctx context.Context) context.Context {
+	tp := http.DefaultTransport.(*http.Transport).Clone()
+	tp.DisableCompression = true
+	tp.TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: cfg.Security.OidcInsecure,
+	}
+	return oidc.ClientContext(ctx, &http.Client{
+		Transport: tp,
+	})
+}
+
 func RegisterOidcProvider(providerCfg *oidcProviderConfig) {
 	cfg := Get()
 
-	provider, err := oidc.NewProvider(context.Background(), providerCfg.Endpoint)
+	provider, err := oidc.NewProvider(GetOidcContext(context.Background()), providerCfg.Endpoint)
 	if err != nil {
 		Log().Fatal(fmt.Sprintf("failed to initialize oidc provider at %s", providerCfg.Endpoint), "error", err)
 		return

routes/login.go

@@ -429,7 +429,7 @@ func (h *LoginHandler) GetOidcCallback(w http.ResponseWriter, r *http.Request) {
 	routeutils.ClearOidcState(r, w)
 
 	// exchange auth code for access token and id token
-	authToken, err := provider.OAuth2.Exchange(r.Context(), code)
+	authToken, err := provider.OAuth2.Exchange(conf.GetOidcContext(r.Context()), code)
 	if err != nil {
 		errMsg := "failed to exchange authorization code for access token"
 		conf.Log().Request(r).Error(errMsg, "provider", provider.Name)
@@ -449,7 +449,7 @@ func (h *LoginHandler) GetOidcCallback(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// verify id token
-	idTokenPayload, err := routeutils.DecodeOidcIdToken(rawIdToken, provider, r.Context())
+	idTokenPayload, err := routeutils.DecodeOidcIdToken(rawIdToken, provider, conf.GetOidcContext(r.Context()))
 	if err != nil || idTokenPayload == nil {
 		errMsg := "failed to verify and decode id_token"
 		conf.Log().Request(r).Error(errMsg, "provider", provider.Name, "id_token", rawIdToken) // save to log, because does not grant any access