ca_bundle

.env.example

@@ -2,3 +2,6 @@ SESSION_SECRET_KEY="replace-with-a-random-secret"
 AZURE_TENANT_ID="<your-tenant-id>"
 AZURE_CLIENT_ID="<your-client-id>"
 AZURE_CLIENT_SECRET="<your-client-secret>"
+AZURE_OAUTH_VERIFY_SSL="true"
+# Optional: path to your corporate root CA bundle (preferred over disabling SSL)
+# AZURE_OAUTH_CA_BUNDLE="/etc/ssl/certs/corporate-root-ca.pem"

README.md

@@ -69,10 +69,25 @@ SESSION_SECRET_KEY="<output-from-python-command>"
 AZURE_TENANT_ID="<your-tenant-id>"
 AZURE_CLIENT_ID="<your-client-id>"
 AZURE_CLIENT_SECRET="<your-client-secret>"
+AZURE_OAUTH_VERIFY_SSL="true"
 ```
 
 The app automatically loads `.env` on startup.
 
+### Corporate Firewall / SSL Interception
+
+If `/login` fails with `SSL:CERTIFICATE_VERIFY_FAILED` behind a corporate proxy/firewall, prefer trusting your corporate CA:
+
+```bash
+AZURE_OAUTH_CA_BUNDLE="/path/to/corporate-root-ca.pem"
+```
+
+For local dev only, you can temporarily disable verification:
+
+```bash
+AZURE_OAUTH_VERIFY_SSL="false"
+```
+
 ## Run Locally (Using uv)
 
 1. Create a virtual environment:

app/core/auth.py

@@ -9,6 +9,11 @@ from app.core.settings import get_settings
 def get_oauth() -> OAuth:
     settings = get_settings()
     oauth = OAuth()
+    verify_ssl: bool | str = (
+        settings.azure_oauth_ca_bundle
+        if settings.azure_oauth_ca_bundle
+        else settings.azure_oauth_verify_ssl
+    )
     oauth.register(
         name="azure",
         client_id=settings.azure_client_id,
@@ -17,6 +22,6 @@ def get_oauth() -> OAuth:
             f"https://login.microsoftonline.com/{settings.azure_tenant_id}"
             "/v2.0/.well-known/openid-configuration"
         ),
-        client_kwargs={"scope": "openid profile email"},
+        client_kwargs={"scope": "openid profile email", "verify": verify_ssl},
     )
     return oauth

app/core/settings.py

@@ -9,6 +9,13 @@ PROJECT_ROOT = Path(__file__).resolve().parents[2]
 load_dotenv(PROJECT_ROOT / ".env")
 
 
+def _env_bool(name: str, default: bool) -> bool:
+    value = getenv(name)
+    if value is None:
+        return default
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
 class Settings:
     def __init__(self) -> None:
         self.session_secret_key = getenv(
@@ -17,6 +24,8 @@ class Settings:
         self.azure_tenant_id = getenv("AZURE_TENANT_ID")
         self.azure_client_id = getenv("AZURE_CLIENT_ID")
         self.azure_client_secret = getenv("AZURE_CLIENT_SECRET")
+        self.azure_oauth_verify_ssl = _env_bool("AZURE_OAUTH_VERIFY_SSL", True)
+        self.azure_oauth_ca_bundle = getenv("AZURE_OAUTH_CA_BUNDLE")
 
     @property
     def azure_configured(self) -> bool: