From 94712fc7fd5c1120a7aff17848e5cfa60f75d141 Mon Sep 17 00:00:00 2001
From: Semprini <atkinpa@gmail.com>
Date: Mon, 11 May 2026 11:00:03 +1200
Subject: [PATCH] ca_bundle

---
 .env.example         |  3 +++
 README.md            | 15 +++++++++++++++
 app/core/auth.py     |  7 ++++++-
 app/core/settings.py |  9 +++++++++
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 1662073..ba3dbe9 100644
--- a/.env.example
+++ b/.env.example
@@ -2,3 +2,6 @@ SESSION_SECRET_KEY="replace-with-a-random-secret"
 AZURE_TENANT_ID="<your-tenant-id>"
 AZURE_CLIENT_ID="<your-client-id>"
 AZURE_CLIENT_SECRET="<your-client-secret>"
+AZURE_OAUTH_VERIFY_SSL="true"
+# Optional: path to your corporate root CA bundle (preferred over disabling SSL)
+# AZURE_OAUTH_CA_BUNDLE="/etc/ssl/certs/corporate-root-ca.pem"
diff --git a/README.md b/README.md
index 130efee..96b6b11 100644
--- a/README.md
+++ b/README.md
@@ -69,10 +69,25 @@ SESSION_SECRET_KEY="<output-from-python-command>"
 AZURE_TENANT_ID="<your-tenant-id>"
 AZURE_CLIENT_ID="<your-client-id>"
 AZURE_CLIENT_SECRET="<your-client-secret>"
+AZURE_OAUTH_VERIFY_SSL="true"
 ```
 
 The app automatically loads `.env` on startup.
 
+### Corporate Firewall / SSL Interception
+
+If `/login` fails with `SSL:CERTIFICATE_VERIFY_FAILED` behind a corporate proxy/firewall, prefer trusting your corporate CA:
+
+```bash
+AZURE_OAUTH_CA_BUNDLE="/path/to/corporate-root-ca.pem"
+```
+
+For local dev only, you can temporarily disable verification:
+
+```bash
+AZURE_OAUTH_VERIFY_SSL="false"
+```
+
 ## Run Locally (Using uv)
 
 1. Create a virtual environment:
diff --git a/app/core/auth.py b/app/core/auth.py
index 322029d..644b670 100644
--- a/app/core/auth.py
+++ b/app/core/auth.py
@@ -9,6 +9,11 @@ from app.core.settings import get_settings
 def get_oauth() -> OAuth:
     settings = get_settings()
     oauth = OAuth()
+    verify_ssl: bool | str = (
+        settings.azure_oauth_ca_bundle
+        if settings.azure_oauth_ca_bundle
+        else settings.azure_oauth_verify_ssl
+    )
     oauth.register(
         name="azure",
         client_id=settings.azure_client_id,
@@ -17,6 +22,6 @@ def get_oauth() -> OAuth:
             f"https://login.microsoftonline.com/{settings.azure_tenant_id}"
             "/v2.0/.well-known/openid-configuration"
         ),
-        client_kwargs={"scope": "openid profile email"},
+        client_kwargs={"scope": "openid profile email", "verify": verify_ssl},
     )
     return oauth
diff --git a/app/core/settings.py b/app/core/settings.py
index aeb00b2..d99322a 100644
--- a/app/core/settings.py
+++ b/app/core/settings.py
@@ -9,6 +9,13 @@ PROJECT_ROOT = Path(__file__).resolve().parents[2]
 load_dotenv(PROJECT_ROOT / ".env")
 
 
+def _env_bool(name: str, default: bool) -> bool:
+    value = getenv(name)
+    if value is None:
+        return default
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
 class Settings:
     def __init__(self) -> None:
         self.session_secret_key = getenv(
@@ -17,6 +24,8 @@ class Settings:
         self.azure_tenant_id = getenv("AZURE_TENANT_ID")
         self.azure_client_id = getenv("AZURE_CLIENT_ID")
         self.azure_client_secret = getenv("AZURE_CLIENT_SECRET")
+        self.azure_oauth_verify_ssl = _env_bool("AZURE_OAUTH_VERIFY_SSL", True)
+        self.azure_oauth_ca_bundle = getenv("AZURE_OAUTH_CA_BUNDLE")
 
     @property
     def azure_configured(self) -> bool: