From c9a0cac055db32e2d7673ffa37d228598eabe40a Mon Sep 17 00:00:00 2001 From: "Xavier L." Date: Mon, 20 Apr 2026 23:22:36 -0400 Subject: [PATCH] fix: Allow user-configurable OIDC timeout (#7496) --- .../getting-started/installation/backend-config.md | 1 + mealie/core/settings/settings.py | 3 ++- mealie/routes/auth/auth.py | 6 ++++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md index 40c3a1e3a..5e3af414d 100644 --- a/docs/docs/documentation/getting-started/installation/backend-config.md +++ b/docs/docs/documentation/getting-started/installation/backend-config.md @@ -114,6 +114,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md) | OIDC_GROUPS_CLAIM | groups | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** | | OIDC_SCOPES_OVERRIDE | None | Advanced configuration used to override the scopes requested from the IdP. **Most users won't need to change this**. At a minimum, 'openid profile email' are required. | | OIDC_TLS_CACERTFILE | None | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) | +| OIDC_CLIENT_TIMEOUT | default | Configures the timeout value of the httpx client used for OIDC communications. If set to the string `default`, does not configure the value (uses the library's default of 5.0s). If set to the string `None`, disables the timeout entirely. If set to a numeric value, uses that as the timeout. | ### OpenAI diff --git a/mealie/core/settings/settings.py b/mealie/core/settings/settings.py index 475d79ed3..780ec15f0 100644 --- a/mealie/core/settings/settings.py +++ b/mealie/core/settings/settings.py @@ -3,7 +3,7 @@ import os import secrets from datetime import UTC, datetime from pathlib import Path -from typing import Annotated, Any, NamedTuple +from typing import Annotated, Any, Literal, NamedTuple from dateutil.tz import tzlocal from pydantic import PlainSerializer, field_validator @@ -349,6 +349,7 @@ class AppSettings(AppLoggingSettings): OIDC_GROUPS_CLAIM: str | None = "groups" OIDC_SCOPES_OVERRIDE: str | None = None OIDC_TLS_CACERTFILE: str | None = None + OIDC_CLIENT_TIMEOUT: float | Literal["None", "default"] = "default" @property def OIDC_REQUIRES_GROUP_CLAIM(self) -> bool: diff --git a/mealie/routes/auth/auth.py b/mealie/routes/auth/auth.py index d5d961ef2..645f890b1 100644 --- a/mealie/routes/auth/auth.py +++ b/mealie/routes/auth/auth.py @@ -1,4 +1,4 @@ -from typing import Annotated +from typing import Annotated, Any from authlib.integrations.starlette_client import OAuth from fastapi import APIRouter, Depends, Header, Request, Response, status @@ -36,7 +36,9 @@ if settings.OIDC_READY: else: groups_claim = settings.OIDC_GROUPS_CLAIM if settings.OIDC_REQUIRES_GROUP_CLAIM else "" scope = f"openid email profile {groups_claim}" - client_args = {"scope": scope.rstrip()} + client_args: dict[str, Any] = {"scope": scope.rstrip()} + if settings.OIDC_CLIENT_TIMEOUT != "default": + client_args["timeout"] = settings.OIDC_CLIENT_TIMEOUT if settings.OIDC_CLIENT_TIMEOUT != "None" else None if settings.OIDC_TLS_CACERTFILE: client_args["verify"] = settings.OIDC_TLS_CACERTFILE