Difference between oauth.ssl_validate_server and provider.ssl_validate_server #1141
-
Hi OpenIDC Team, In our configuration we have deactivated the SSL validation by This works fine on initial authentication and if the access token is refreshed. However, if the token is expiring or the user loggs out (on purpose) the module tries to revoke refresh token and then also the access token and both fails with: -- -- -- while in As I'm not an expert in mod_auth_openidc module nor C++ programming - I'm not sure if this is an issue or not. But the question for us is - how can we achieve that Thx for your help or any hint on this. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
that is indeed an unintended side-effect of the split between OAuth 2.0 and OIDC in the module's configuration; you can use OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off see https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.14.4/auth_openidc.conf#L439-L441 for the time being and we'll look into a more comprehensive solution FWIW: turning off SSL server certificate validation should not be used in production |
Beta Was this translation helpful? Give feedback.
-
actually it turned out to be a bug indeed, fixed in 7624c40 |
Beta Was this translation helpful? Give feedback.
-
this is now in 2.4.15 https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.15 |
Beta Was this translation helpful? Give feedback.
actually it turned out to be a bug indeed, fixed in 7624c40