Allow self-signed provider

[Nautigsam]

I want to be able to use this library with a local IdP for testing purpose (like Keycloak). I want to use self-signed certificates so I need to disable TLS verifications in that case.

MSAL already offers that as a parameter for ConfidentialApplication, so we just need to mirror it on Auth class.

[rayluo]

If you are referring to the oidc_authority parameter in MSAL, it is already available in identity's Auth class, as documented in the purple box here.

Please let me know by either clarifying the parameter or a thumbs-up and/or closing this issue.

[Nautigsam]

I am sorry I wasn't more specific: I was referring to the verify argument.

[rayluo]

I haven't tried it but, assuming you are also using the requests library for http traffic, perhaps you can give this workaround a try.

export REQUESTS_CA_BUNDLE='your-ca.pem'

[Nautigsam]

It does not seem to work with self-signed certificate 😕

[rayluo]

Hmm, there were some slightly different workarounds mentioned that Q&A. What I meant was this one, export REQUESTS_CA_BUNDLE='your-ca.pem', which some other commenters reported success with. Can you elaborate what you have tried that "does not seem to work"?

[Nautigsam]

I did set REQUESTS_CA_BUNDLE with the path to my Keycloak self-signed certificate. It had no effect.

[rayluo]

I did set REQUESTS_CA_BUNDLE with the path to my Keycloak self-signed certificate. It had no effect.

I don't know what is inside your "keycloak self-signed certificate". Given that the REQUESTS_CA_BUNDLE approach is a documented feature of requests, it is supposed to work. Perhaps, you can double check by using these detailed steps of how to compose that ca bundle file. Someone even came up with a script for that process.

[Nautigsam]

My certificate was faulty, I missed localhost as an Subject Alternative Name.

I am sorry for the false alert, REQUESTS_CA_BUNDLE is definitely the way to go. Thank you for your help.