Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to disable SSL verification #64

Open
mikeover opened this issue Nov 1, 2016 · 5 comments
Open

Option to disable SSL verification #64

mikeover opened this issue Nov 1, 2016 · 5 comments

Comments

@mikeover
Copy link

mikeover commented Nov 1, 2016

Omniauth allows the disabling of SSL verification with something like:

:client_options => { :ssl => { :verify => !Rails.env.development? } }

Is there anyway to utilize this with OpenID Connect gem? I attempted to add the ssl key in the client_options hash but it didn't seem to have any effect.
@cmrd-senya
Copy link

Do you need to connect over untrusted SSL or do you need to connect over plain unencrypted HTTP? I wanted to do the latter, and I had to patch the gem the following way:

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index e4705c9..c915b61 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -16,7 +16,7 @@ module OmniAuth
         redirect_uri: nil,
         scheme: "https",
         host: nil,
-        port: 443,
+        port: nil,
         authorization_endpoint: "/authorize",
         token_endpoint: "/token",
         userinfo_endpoint: "/userinfo",
@@ -82,6 +82,11 @@ module OmniAuth
       end

       def request_phase
+        if client_options.scheme == "http"
+          WebFinger.url_builder = URI::HTTP
+          SWD.url_builder = URI::HTTP
+        end
+
         options.issuer = issuer if options.issuer.blank?
         discover! if options.discovery
         redirect authorize_uri

With these changes authentication proceeds over HTTP properly.

@mikeover
Copy link
Author

mikeover commented Nov 4, 2016

I was looking for untrusted SSL so I can ignore bad or untrusted certificates, etc.

@cmrd-senya
Copy link

Then I guess you have to patch lib/omniauth/strategies/openid_connect.rb yourself. As far as I can see there is no support of SSL disable in the gem currently.

@mikeover
Copy link
Author

mikeover commented Nov 4, 2016

Thanks, would you mind taking a look at #65 also?

@rdingwell
Copy link

If you are talking about ssl verification I think you should be able to take care of this with out patching the strategy. The OpenidConnect lib has a static method setting up configuration blocks for the http_client. I use it to deal with the SSL inspection that our internal network performs so I have to add additional ca trust certs for it to deal with like this.

OpenIDConnect.http_config do |client|
client.ssl_config.add_trust_ca(ENV['CA_TRUST_CERTIFICATE']) if ENV['CA_TRUST_CERTIFICATE']
end

The ssl_config object I believe also has a method for setting the verification mode so you should be able to just wholesale turn it off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rdingwell @mikeover @cmrd-senya