New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optionally disable certificate validation for OAuth2 auth windows #3894
Conversation
cb81fbe
to
08ab903
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the issue report and this PR!
Because this is specifically for auth, for security reasons I wonder if we should introduce a standalone setting (like validateOAuthSSL
) rather than use the existing one. This way users have more control over disabling cert validation for regular requests but ensuring cert validation for authentication.
@wdawson / @DMarby / @johnwchadwick any opinions on using the existing flag or introducing a new one specifically for OAuth? The current flag validateSSL
links to the blue box. We do have a section dedicated to security in preferences, so a custom flag like validateOAuthSSL
could sit in there (red box).
Thanks for getting the conversation started on this! Once the Insomnia team decides which direction to take this PR, I'm happy to help where I can (: |
@develohpanda I think it might make sense for this to be a separate option.
|
That's a great point! It looks like all those OAuth flows use
insomnia/packages/insomnia-app/app/network/network.ts Lines 421 to 428 in 7abde2a
So it should be fairly straightfoward to tell the networking stack to use Lots of ways to solve this, @schrodingersket I'll let you give it a crack, but this is the general code path! 😄 To summarize the feedback:
|
That all sounds perfectly doable. I'll take a swing at it this week 😎 Thanks for all the input everyone! Super cool to get to learn from you guys and to have the opportunity give a little back to a project I use every day 🤓 |
Just as a naming comment, I wonder if it would be better to not include the authorization protocol (i.e. "OAuth") in the name for the flag. In case folks are using different protocols. Maybe just |
Yep! I'm good with that 👍🏽 |
08ab903
to
a50d153
Compare
@develohpanda - looks like we have a slight snag in restricting the scope of the new The TL;DR is that the insomnia/packages/insomnia-app/app/network/o-auth-2/misc.ts Lines 149 to 158 in a50d153
I pushed a50d153 which provides all the other functionality described above and in which you can reproduce what I'm running into if you'd like to poke at it. Any suggestions as to how to handle this would be greatly appreciated (: Adding the Anyway, here are some screenshots of the new option in |
Bingo! I found a workaround for the issue described above using the setCertificateVerifyProc API. Should be all good to go with this now. I'll work on adding some unit tests and updating existing ones as appropriate tomorrow, but it should be all set for review at this point. |
Oh wow, that's impressive @schrodingersket 🙌🏽 👏🏽 I hadn't had a chance to debug through this yet but I'm stoked you found a way around it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just an initial code review 🥳
@develohpanda the video works for me now, maybe try again? |
@dimitropoulos Looks like it was a Firefox thing 😭 works in Chrome. I've never hit this before (still marked as corrupted on Firefox), how strange! |
…dation in authentication flows.
…ent handler API to `session.setCertificateVerifyProc.`.
…alidateSSL` and `validateAuthSSL` from `Settings` type in `_actuallySend` function signature to prevent accidental usage in the function.
…rrectly when disabling cert verification.
…her to validate SSL during authentication.
95376a4
to
404934c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you for the video! 🙌🏽
The error message does seem a bit verbose but I don't think we should parse it to render something different; rather show the entire reason why something failed (we do the same thing when failing to fetch a GrapqhQL schema, show the raw message)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@schrodingersket I would really love to have some pointers into how you get the test environment going that you used in the video you took (and in general in this PR). I'm always on the lookout for more easily testing the OAuth2 features of the app.
The code looks good to me and the functionality in the video looks good as well.
@dimitropoulos sure thing! We use Keycloak at work for IAM and OAuth2, and I've been testing against that for this PR. OAuth2, JWT, and OIDC support are pretty well-supported in my experience with it. If you'd like, I'd be happy throw together a super quick test repo for you based on their Docker image with SSL set up for you as a reference repository for testing if you feel it'd be worthwhile to have on hand and don't feel like rummaging through all the docs yourself (: |
I would really really love that and the whole team will appreciate it! Thanks!! |
@dimitropoulos @develohpanda - here you go: https://github.com/schrodingersket/keycloak-oauth2-ssl-testbed Everything should be configured and ready right out of the box for you there. I added a fairly comprehensive README with screenshots and such for getting everything running, but the TL;DR is (assuming you've installed Docker) that you just need to run I added the script I used to generate the certificates (via |
Thanks a tonne @schrodingersket, this is bound to be a useful resource 🙌 |
hey @schrodingersket just wanted to come back and say thank you (again) for the above. we used it just now to work with another issue on the insomnia stream and it worked very well! we really appreciate it! |
Whoohoo! Glad you found it to be a useful resource. (: |
Closes #3893, Closes #2778, Closes INS-912
I fully expect to have some feedback regarding better ways to grab the
validateSSL
setting or maybe a different place where this event handler should be, but I figured a functional fix would be a good place to start!