From 4e2aa82ddd3dc9d8096b75d1ac7cc9af4d6072bf Mon Sep 17 00:00:00 2001
From: Yogesh Mahajan <yogesh.mahajan@enterprisedb.com>
Date: Mon, 4 Dec 2023 11:19:14 +0530
Subject: [PATCH] Provide a way to bypass the SSL cert verification for OAuth2
 provider. #6095

---
 docs/en_US/oauth2.rst              | 2 ++
 web/config.py                      | 5 +++++
 web/pgadmin/authenticate/oauth2.py | 4 +++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
index 54895cc15..a3d6d0880 100644
--- a/docs/en_US/oauth2.rst
+++ b/docs/en_US/oauth2.rst
@@ -46,6 +46,8 @@ and modify the values for the following parameters:
     "OAUTH2_ADDITIONAL_CLAIMS", "If a dictionary is provided, pgAdmin will check for a matching key and value on the userinfo endpoint 
     and in the Id Token. In case there is no match with the provided config, the user will receive an authorization error.
     Useful for checking AzureAD_ *wids* or *groups*, GitLab_ *owner*, *maintainer* and *reporter* claims."
+    "OAUTH2_SSL_CERT_VERIFICATION", "Set this variable to False to disable SSL certificate verification for OAuth2 provider.
+    This may need to set False, in case of self-signed certificates."
 
 Redirect URL
 ============
diff --git a/web/config.py b/web/config.py
index 2b939fba5..5da28634a 100644
--- a/web/config.py
+++ b/web/config.py
@@ -808,6 +808,11 @@ OAUTH2_CONFIG = [
         #     'wids': ["cf1c38e5-3621-4004-a7cb-879624dced7c"],
         # }
         'OAUTH2_ADDITIONAL_CLAIMS': None,
+        # Set this variable to False to disable SSL certificate verification
+        # for OAuth2 provider.
+        # This may need to set False, in case of self-signed certificates.
+        # Ref: https://github.com/psf/requests/issues/6071
+        'OAUTH2_SSL_CERT_VERIFICATION': True
     }
 ]
 
diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py
index d1b6113aa..5db7eedda 100644
--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@@ -106,7 +106,9 @@ class OAuth2Authentication(BaseAuthentication):
                 authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'],
                 api_base_url=oauth2_config['OAUTH2_API_BASE_URL'],
                 client_kwargs={'scope': oauth2_config.get(
-                    'OAUTH2_SCOPE', 'email profile')},
+                    'OAUTH2_SCOPE', 'email profile'),
+                    'verify': oauth2_config.get(
+                    'OAUTH2_SSL_CERT_VERIFICATION', True)},
                 server_metadata_url=oauth2_config.get(
                     'OAUTH2_SERVER_METADATA_URL', None)
             )