paul/css-test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ca_bundle

Browse Source
This commit is contained in:
Paul Atkin
2026-05-11 11:00:03 +12:00
parent 9130629b58
commit 94712fc7fd
4 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+3
View File
@@ -2,3 +2,6 @@ SESSION_SECRET_KEY="replace-with-a-random-secret"
AZURE_TENANT_ID="<your-tenant-id>" AZURE_TENANT_ID="<your-tenant-id>"
AZURE_CLIENT_ID="<your-client-id>" AZURE_CLIENT_ID="<your-client-id>"
AZURE_CLIENT_SECRET="<your-client-secret>" AZURE_CLIENT_SECRET="<your-client-secret>"
AZURE_OAUTH_VERIFY_SSL="true"
# Optional: path to your corporate root CA bundle (preferred over disabling SSL)
# AZURE_OAUTH_CA_BUNDLE="/etc/ssl/certs/corporate-root-ca.pem"
README.md
+15
View File
@@ -69,10 +69,25 @@ SESSION_SECRET_KEY="<output-from-python-command>"
AZURE_TENANT_ID="<your-tenant-id>" AZURE_TENANT_ID="<your-tenant-id>"
AZURE_CLIENT_ID="<your-client-id>" AZURE_CLIENT_ID="<your-client-id>"
AZURE_CLIENT_SECRET="<your-client-secret>" AZURE_CLIENT_SECRET="<your-client-secret>"
AZURE_OAUTH_VERIFY_SSL="true"
``` ```
The app automatically loads `.env` on startup. The app automatically loads `.env` on startup.
### Corporate Firewall / SSL Interception
If `/login` fails with `SSL:CERTIFICATE_VERIFY_FAILED` behind a corporate proxy/firewall, prefer trusting your corporate CA:
```bash
AZURE_OAUTH_CA_BUNDLE="/path/to/corporate-root-ca.pem"
```
For local dev only, you can temporarily disable verification:
```bash
AZURE_OAUTH_VERIFY_SSL="false"
```
## Run Locally (Using uv) ## Run Locally (Using uv)
1. Create a virtual environment: 1. Create a virtual environment:
app/core/auth.py
+6 -1
View File
@@ -9,6 +9,11 @@ from app.core.settings import get_settings
def get_oauth() -> OAuth: def get_oauth() -> OAuth:
settings = get_settings() settings = get_settings()
oauth = OAuth() oauth = OAuth()
verify_ssl: bool | str = (
settings.azure_oauth_ca_bundle
if settings.azure_oauth_ca_bundle
else settings.azure_oauth_verify_ssl
)
oauth.register( oauth.register(
name="azure", name="azure",
client_id=settings.azure_client_id, client_id=settings.azure_client_id,
@@ -17,6 +22,6 @@ def get_oauth() -> OAuth:
f"https://login.microsoftonline.com/{settings.azure_tenant_id}" f"https://login.microsoftonline.com/{settings.azure_tenant_id}"
"/v2.0/.well-known/openid-configuration" "/v2.0/.well-known/openid-configuration"
), ),
client_kwargs={"scope": "openid profile email"}, client_kwargs={"scope": "openid profile email", "verify": verify_ssl},
) )
return oauth return oauth
app/core/settings.py
+9
View File
@@ -9,6 +9,13 @@ PROJECT_ROOT = Path(__file__).resolve().parents[2]
load_dotenv(PROJECT_ROOT / ".env") load_dotenv(PROJECT_ROOT / ".env")
def _env_bool(name: str, default: bool) -> bool:
value = getenv(name)
if value is None:
return default
return value.strip().lower() in {"1", "true", "yes", "on"}
class Settings: class Settings:
def __init__(self) -> None: def __init__(self) -> None:
self.session_secret_key = getenv( self.session_secret_key = getenv(
@@ -17,6 +24,8 @@ class Settings:
self.azure_tenant_id = getenv("AZURE_TENANT_ID") self.azure_tenant_id = getenv("AZURE_TENANT_ID")
self.azure_client_id = getenv("AZURE_CLIENT_ID") self.azure_client_id = getenv("AZURE_CLIENT_ID")
self.azure_client_secret = getenv("AZURE_CLIENT_SECRET") self.azure_client_secret = getenv("AZURE_CLIENT_SECRET")
self.azure_oauth_verify_ssl = _env_bool("AZURE_OAUTH_VERIFY_SSL", True)
self.azure_oauth_ca_bundle = getenv("AZURE_OAUTH_CA_BUNDLE")
@property @property
def azure_configured(self) -> bool: def azure_configured(self) -> bool: