Commit ccf093da by Matt Bostock

OAuth: Separate TLS client auth and CA config

It should be specify to either use TLS client authentication or use a
user-supplied CA; previously you had to enable client authentication to
use a custom CA.
parent f2f8ca52
......@@ -78,16 +78,25 @@ func OAuthLogin(ctx *middleware.Context) {
}
// handle call back
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
},
}
sslcli := &http.Client{
Transport: tr,
}
// initialize oauth2 context
oauthCtx := oauth2.NoContext
if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" || setting.OAuthService.OAuthInfos[name].TlsClientKey != "" {
cert, err := tls.LoadX509KeyPair(setting.OAuthService.OAuthInfos[name].TlsClientCert, setting.OAuthService.OAuthInfos[name].TlsClientKey)
if err != nil {
log.Fatal(err)
}
// Load CA cert
tr.TLSClientConfig.Certificates = append(tr.TLSClientConfig.Certificates, cert)
}
if setting.OAuthService.OAuthInfos[name].TlsClientCa != "" {
caCert, err := ioutil.ReadFile(setting.OAuthService.OAuthInfos[name].TlsClientCa)
if err != nil {
log.Fatal(err)
......@@ -95,18 +104,10 @@ func OAuthLogin(ctx *middleware.Context) {
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
},
tr.TLSClientConfig.RootCAs = caCertPool
}
sslcli := &http.Client{Transport: tr}
oauthCtx = context.Background()
oauthCtx = context.WithValue(oauthCtx, oauth2.HTTPClient, sslcli)
}
oauthCtx := context.WithValue(context.Background(), oauth2.HTTPClient, sslcli)
// get token from provider
token, err := connect.Exchange(oauthCtx, code)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment