ca_bundle

app/core/auth.py

@@ -9,6 +9,11 @@ from app.core.settings import get_settings
 def get_oauth() -> OAuth:
     settings = get_settings()
     oauth = OAuth()
+    verify_ssl: bool | str = (
+        settings.azure_oauth_ca_bundle
+        if settings.azure_oauth_ca_bundle
+        else settings.azure_oauth_verify_ssl
+    )
     oauth.register(
         name="azure",
         client_id=settings.azure_client_id,
@@ -17,6 +22,6 @@ def get_oauth() -> OAuth:
             f"https://login.microsoftonline.com/{settings.azure_tenant_id}"
             "/v2.0/.well-known/openid-configuration"
         ),
-        client_kwargs={"scope": "openid profile email"},
+        client_kwargs={"scope": "openid profile email", "verify": verify_ssl},
     )
     return oauth

app/core/settings.py

@@ -9,6 +9,13 @@ PROJECT_ROOT = Path(__file__).resolve().parents[2]
 load_dotenv(PROJECT_ROOT / ".env")
 
 
+def _env_bool(name: str, default: bool) -> bool:
+    value = getenv(name)
+    if value is None:
+        return default
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
 class Settings:
     def __init__(self) -> None:
         self.session_secret_key = getenv(
@@ -17,6 +24,8 @@ class Settings:
         self.azure_tenant_id = getenv("AZURE_TENANT_ID")
         self.azure_client_id = getenv("AZURE_CLIENT_ID")
         self.azure_client_secret = getenv("AZURE_CLIENT_SECRET")
+        self.azure_oauth_verify_ssl = _env_bool("AZURE_OAUTH_VERIFY_SSL", True)
+        self.azure_oauth_ca_bundle = getenv("AZURE_OAUTH_CA_BUNDLE")
 
     @property
     def azure_configured(self) -> bool: