Add new OIDC TLS CA Certfile option (#3496)

2025-07-09 03:04:54 -04:00 · 2024-04-19 05:36:03 -05:00 · 2024-04-19 05:36:03 -05:00 · 1a385e941c
commit 1a385e941c
parent c6f5b62ad0
3 changed files with 16 additions and 7 deletions
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@ -99,6 +99,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc.md)
 | OIDC_REMEMBER_ME       |  False  | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |
 | OIDC_SIGNING_ALGORITHM |  RS256  | The algorithm used to sign the id token (examples: RS256, HS256)                                                                                                                                          |
 | OIDC_USER_CLAIM        |  email  | Optional: 'email', 'preferred_username'                                                                                                                                                                   |
+| OIDC_TLS_CACERTFILE    | None    | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) |

 ### Themeing

--- a/mealie/core/security/providers/openid_provider.py
+++ b/mealie/core/security/providers/openid_provider.py
@ -119,20 +119,27 @@ class OpenIDProvider(AuthProvider[OIDCRequest]):

        if not (settings.OIDC_READY and settings.OIDC_CONFIGURATION_URL):
            return None
-        configuration = None
-        with requests.get(settings.OIDC_CONFIGURATION_URL, timeout=5) as config_response:
-            config_response.raise_for_status()
-            configuration = config_response.json()
+
+        session = requests.Session()
+        if settings.OIDC_TLS_CACERTFILE:
+            session.verify = settings.OIDC_TLS_CACERTFILE
+
+        config_response = session.get(settings.OIDC_CONFIGURATION_URL, timeout=5)
+        config_response.raise_for_status()
+        configuration = config_response.json()

        if not configuration:
            OpenIDProvider._logger.warning("[OIDC] Unable to fetch configuration from the OIDC_CONFIGURATION_URL")
+            session.close()
            return None

        jwks_uri = configuration.get("jwks_uri", None)
        if not jwks_uri:
            OpenIDProvider._logger.warning("[OIDC] Unable to find the jwks_uri from the OIDC_CONFIGURATION_URL")
+            session.close()
            return None

-        with requests.get(jwks_uri, timeout=5) as response:
-            response.raise_for_status()
-            return JsonWebKey.import_key_set(response.json())
+        response = session.get(jwks_uri, timeout=5)
+        response.raise_for_status()
+        session.close()
+        return JsonWebKey.import_key_set(response.json())
--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@ -192,6 +192,7 @@ class AppSettings(BaseSettings):
    OIDC_REMEMBER_ME: bool = False
    OIDC_SIGNING_ALGORITHM: str = "RS256"
    OIDC_USER_CLAIM: str = "email"
+    OIDC_TLS_CACERTFILE: str | None = None

    @property
    def OIDC_READY(self) -> bool: