Added ability to ignore cert for oauth2 provider (#971)

* Added ability to ignore cert for oauth2 provider This is useful for development environments where the OAuth provider doesn't have a valid cert! * Setting default for OAUTH2_VERIFY_CERT to true
2017-10-21 01:36:14 +02:00 · 2017-10-21 01:36:14 +02:00 · 9319dda0ec
parent 14f5340802
commit 9319dda0ec
2 changed files with 12 additions and 4 deletions
--- a/docs/administration.rst
+++ b/docs/administration.rst
@ -496,6 +496,13 @@ For more information about how to use social logins, see: `Satellizer <https://g

            OAUTH2_AUTH_ENDPOINT = "https://<youroauthserver>/oauth2/v1/authorize"

+.. data:: OAUTH2_VERIFY_CERT
+    :noindex:
+
+        ::
+
+            OAUTH2_VERIFY_CERT = True
+
 .. data:: GOOGLE_CLIENT_ID
    :noindex:

--- a/lemur/auth/views.py
+++ b/lemur/auth/views.py
@ -289,6 +289,7 @@ class OAuth2(Resource):
        # you can either discover these dynamically or simply configure them
        access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
        user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
+        verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True)

        # the secret and cliendId will be given to you when you signup for the provider
        token = '{0}:{1}'.format(args['clientId'], current_app.config.get("OAUTH2_SECRET"))
@ -302,9 +303,9 @@ class OAuth2(Resource):

        # exchange authorization code for access token.
        # Try Params first
-        r = requests.post(access_token_url, headers=headers, params=params)
+        r = requests.post(access_token_url, headers=headers, params=params, verify=verify_cert)
        if r.status_code == 400:
-            r = requests.post(access_token_url, headers=headers, data=params)
+            r = requests.post(access_token_url, headers=headers, data=params, verify=verify_cert)
        id_token = r.json()['id_token']
        access_token = r.json()['access_token']

@ -313,7 +314,7 @@ class OAuth2(Resource):
        jwks_url = current_app.config.get('OAUTH2_JWKS_URL')

        # retrieve the key material as specified by the token header
-        r = requests.get(jwks_url)
+        r = requests.get(jwks_url, verify=verify_cert)
        for key in r.json()['keys']:
            if key['kid'] == header_data['kid']:
                secret = get_rsa_public_key(key['n'], key['e'])
@ -338,7 +339,7 @@ class OAuth2(Resource):
        headers = {'authorization': 'Bearer {0}'.format(access_token)}

        # retrieve information about the current user.
-        r = requests.get(user_api_url, headers=headers)
+        r = requests.get(user_api_url, headers=headers, verify=verify_cert)
        profile = r.json()

        user = user_service.get_by_email(profile['email'])