fix: Allow user-configurable OIDC timeout (#7496)

2026-04-21 12:25:36 -04:00 · 2026-04-20 23:22:36 -04:00
parent 83bc2f3889
commit c9a0cac055
3 changed files with 7 additions and 3 deletions
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@@ -114,6 +114,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
 | OIDC_GROUPS_CLAIM                                                                   | groups  | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** |
 | OIDC_SCOPES_OVERRIDE                                                                |  None   | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required.                                                                                                                                |
 | OIDC_TLS_CACERTFILE                                                                 |  None   | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`)                                                                                                                                                                                                          |
+| OIDC_CLIENT_TIMEOUT                                                                 | default | Configures the timeout value of the httpx client used for OIDC communications. If set to the string `default`, does not configure the value (uses the library's default of 5.0s). If set to the string `None`, disables the timeout entirely. If set to a numeric value, uses that as the timeout.     |

 ### OpenAI

--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@@ -3,7 +3,7 @@ import os
 import secrets
 from datetime import UTC, datetime
 from pathlib import Path
-from typing import Annotated, Any, NamedTuple
+from typing import Annotated, Any, Literal, NamedTuple

 from dateutil.tz import tzlocal
 from pydantic import PlainSerializer, field_validator
@@ -349,6 +349,7 @@ class AppSettings(AppLoggingSettings):
    OIDC_GROUPS_CLAIM: str | None = "groups"
    OIDC_SCOPES_OVERRIDE: str | None = None
    OIDC_TLS_CACERTFILE: str | None = None
+    OIDC_CLIENT_TIMEOUT: float | Literal["None", "default"] = "default"

    @property
    def OIDC_REQUIRES_GROUP_CLAIM(self) -> bool:
--- a/mealie/routes/auth/auth.py
+++ b/mealie/routes/auth/auth.py
@@ -1,4 +1,4 @@
-from typing import Annotated
+from typing import Annotated, Any

 from authlib.integrations.starlette_client import OAuth
 from fastapi import APIRouter, Depends, Header, Request, Response, status
@@ -36,7 +36,9 @@ if settings.OIDC_READY:
    else:
        groups_claim = settings.OIDC_GROUPS_CLAIM if settings.OIDC_REQUIRES_GROUP_CLAIM else ""
        scope = f"openid email profile {groups_claim}"
-    client_args = {"scope": scope.rstrip()}
+    client_args: dict[str, Any] = {"scope": scope.rstrip()}
+    if settings.OIDC_CLIENT_TIMEOUT != "default":
+        client_args["timeout"] = settings.OIDC_CLIENT_TIMEOUT if settings.OIDC_CLIENT_TIMEOUT != "None" else None
    if settings.OIDC_TLS_CACERTFILE:
        client_args["verify"] = settings.OIDC_TLS_CACERTFILE