bruno icon indicating copy to clipboard operation
bruno copied to clipboard
verified publisher icon usebruno

[Bug] Oauth2: Reuse TLS Certifcate valiadation and custom CA settings from preferences when accessing Auth and Token URLs

Open pietrygamat opened this issue 1 year ago • 0 comments

In a test environment it may be expected to have some auth server not properly secured with TLS (domain mismatch/self-signed cert/etc). Although Bruno honors my customizations to TLS verificication when calling target URL without authorization, it will fail when attempting to obtain access token during OAuth2 flow, even though the endpoints are on the same server.

In example request.bru:

meta {
  name: My Request
  type: http
  seq: 1
}

get {
  url: https://localhost/userprofile
  body: none
  auth: oauth2
}

auth:oauth2 {
  grant_type: authorization_code
  callback_url: https://localhost/callback
  authorization_url: https://localhost/auth
  access_token_url: https://localhost/token
  client_id: client-id
  client_secret: 
  scope: profile
  pkce: true
}

let's assume my test server on localhost is hosted using self-signed certificate. If I switch off TLS Verification or upload custom CA Certificate in Preferences: image I am able to pass TLS handshake when reaching for https://localhost/userprofile. If I however enable OAuth2, bruno will not use these same settings when making behind the scenes calls to https://localhost/auth and https://localhost/token, forcing me to install the CA system wide.

Bruno: 1.10.0 #1003

pietrygamat avatar Feb 28 '24 20:02 pietrygamat