Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added ability to ignore cert for oauth2 provider (#971) 

* Added ability to ignore cert for oauth2 provider

This is useful for development environments where the OAuth provider
doesn't have a valid cert!

* Setting default for OAUTH2_VERIFY_CERT to true
This commit is contained in:
Johannes Langer 2017-10-21 01:36:14 +02:00 committed by kevgliss
parent 14f5340802
commit 9319dda0ec
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/administration.rst
View File

@ -496,6 +496,13 @@ For more information about how to use social logins, see: `Satellizer <https://g
OAUTH2_AUTH_ENDPOINT = "https://<youroauthserver>/oauth2/v1/authorize" OAUTH2_AUTH_ENDPOINT = "https://<youroauthserver>/oauth2/v1/authorize"
.. data:: OAUTH2_VERIFY_CERT
:noindex:
::
OAUTH2_VERIFY_CERT = True
.. data:: GOOGLE_CLIENT_ID .. data:: GOOGLE_CLIENT_ID
:noindex: :noindex:

9
lemur/auth/views.py
View File

@ -289,6 +289,7 @@ class OAuth2(Resource):
# you can either discover these dynamically or simply configure them # you can either discover these dynamically or simply configure them
access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL') access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
user_api_url = current_app.config.get('OAUTH2_USER_API_URL') user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True)
# the secret and cliendId will be given to you when you signup for the provider # the secret and cliendId will be given to you when you signup for the provider
token = '{0}:{1}'.format(args['clientId'], current_app.config.get("OAUTH2_SECRET")) token = '{0}:{1}'.format(args['clientId'], current_app.config.get("OAUTH2_SECRET"))
@ -302,9 +303,9 @@ class OAuth2(Resource):
# exchange authorization code for access token. # exchange authorization code for access token.
# Try Params first # Try Params first
r = requests.post(access_token_url, headers=headers, params=params) r = requests.post(access_token_url, headers=headers, params=params, verify=verify_cert)
if r.status_code == 400: if r.status_code == 400:
r = requests.post(access_token_url, headers=headers, data=params) r = requests.post(access_token_url, headers=headers, data=params, verify=verify_cert)
id_token = r.json()['id_token'] id_token = r.json()['id_token']
access_token = r.json()['access_token'] access_token = r.json()['access_token']
@ -313,7 +314,7 @@ class OAuth2(Resource):
jwks_url = current_app.config.get('OAUTH2_JWKS_URL') jwks_url = current_app.config.get('OAUTH2_JWKS_URL')
# retrieve the key material as specified by the token header # retrieve the key material as specified by the token header
r = requests.get(jwks_url) r = requests.get(jwks_url, verify=verify_cert)
for key in r.json()['keys']: for key in r.json()['keys']:
if key['kid'] == header_data['kid']: if key['kid'] == header_data['kid']:
secret = get_rsa_public_key(key['n'], key['e']) secret = get_rsa_public_key(key['n'], key['e'])
@ -338,7 +339,7 @@ class OAuth2(Resource):
headers = {'authorization': 'Bearer {0}'.format(access_token)} headers = {'authorization': 'Bearer {0}'.format(access_token)}
# retrieve information about the current user. # retrieve information about the current user.
r = requests.get(user_api_url, headers=headers) r = requests.get(user_api_url, headers=headers, verify=verify_cert)
profile = r.json() profile = r.json()
user = user_service.get_by_email(profile['email']) user = user_service.get_by_email(profile['email'])