[18.0][IMP]auth_oidc: verify self-signed certificates

[ChristophAbenthungCibex]

If the connection between odoo and an oauth provider uses self-signed certificates, a ssl error is thrown because the self-signed certificated cannot be verified.
Even if the user credentials are correct, the user will not get logged in.

Following error gets thrown:
requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /realms//protocol/openid-connect/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))

Steps to reproduce:

1. Setup a oauth provider (for example keycloak)
2. Setup odoo the oauth provider in odoo (used OpenID Connect (authorization code flow) as Auth Flow for my tests)
3. Logout
4. Try to login with the oauth provider
5. Type in the correct credentials
6. The oauth provider will redirect to Odoo
7. Odoo shows an error message and the user is not logged in

[OCA-git-bot]

Hi @sbidoul,
some modules you are maintaining are being modified, check this out!

[ap-wtioit]

Looks good (just the missing space is a requirement for the PR to be correct from my point of view)

This is a useful addition for checking with local HTTPS were one cannot really get official certificates.

[sbidoul]

Thanks. A couple a comment after a quick look.

[sbidoul]

I think this does not make it sufficiently clear that this enables an insecure option. Could we name this field, say, "insecure" like curl does?

[CRogos]

I agree with sbidoul. If we add this kind of feature we should add a big warning in the descripiton.md and add a reference here.

[ChristophAbenthungCibex]

Thanks for the feedback. I renamed the fields and added a security note. Is that good enough?

[sbidoul]

I would name this field ca_bundle, but I have a strong preference to let that be configured at the system level, or with the REQUESTS_CA_BUNDLE environment variable.

[ap-wtioit]

For me the benefit here would be that this is only for one OAuth server connection while REQUESTS_CA_BUNDLE is for all requests from Odoo to other servers.

[CRogos]

Instead of the attributes self_signed and self_signed_verify, how about only have ca_bundle, where you can add your valid self signed certificates (automatically used, when set), and a disable_certificate_check which bypasses the check. (same as self_signed=True + self_signed_verify="")

I think this would be more clear and less risky for false configurations.

[ChristophAbenthungCibex]

Thanks, I renamed the field as suggested by @CRogos . I agree that this way is less risky.

[github-actions]

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

[CRogos]

Implementation LGTM.
I am not sure if the merge commit is a problem, or if it would be better to rebase your changes.

Could you also add some tests for your changes?

[ChristophAbenthungCibex]

Implementation LGTM. I am not sure if the merge commit is a problem, or if it would be better to rebase your changes.

Could you also add some tests for your changes?

I rebased it.

I'll check if I can add tests.