feat: add verify_ssl flag

lc-spxl · lc-spxl · commit bbe21f6c922c · 2026-02-28T07:15:25.000+01:00
diff --git a/src/celine/sdk/auth/oidc.py b/src/celine/sdk/auth/oidc.py
@@ -18,14 +18,16 @@ def __init__(
         client_secret: str,
         scope: str | None = None,
         timeout: float = 10.0,
+        verify_ssl: bool = True,
     ):
         super().__init__()
-        self._discovery = OidcDiscoveryClient(base_url, timeout)
+        self._discovery = OidcDiscoveryClient(base_url, timeout, verify_ssl=verify_ssl)
         self._client_id = client_id
         self._client_secret = client_secret
         self._scope = scope
         self._timeout = timeout
         self._token: AccessToken | None = None
+        self._verify_ssl = verify_ssl
 
     async def get_token(self) -> AccessToken:
         if self._token and self._token.is_valid():
@@ -53,7 +55,9 @@ async def _authenticate(self) -> AccessToken:
         if self._scope:
             data["scope"] = self._scope
 
-        async with httpx.AsyncClient(timeout=self._timeout) as client:
+        async with httpx.AsyncClient(
+            timeout=self._timeout, verify=self._verify_ssl
+        ) as client:
             r = await client.post(cfg.token_endpoint, data=data)
             r.raise_for_status()
             payload = r.json()
@@ -69,7 +73,9 @@ async def _refresh(self, refresh_token: str) -> AccessToken:
             "client_secret": self._client_secret,
         }
 
-        async with httpx.AsyncClient(timeout=self._timeout) as client:
+        async with httpx.AsyncClient(
+            timeout=self._timeout, verify=self._verify_ssl
+        ) as client:
             r = await client.post(cfg.token_endpoint, data=data)
             r.raise_for_status()
             payload = r.json()
diff --git a/src/celine/sdk/auth/oidc_discovery.py b/src/celine/sdk/auth/oidc_discovery.py
@@ -13,17 +13,22 @@ class OidcConfiguration:
 
 
 class OidcDiscoveryClient:
-    def __init__(self, issuer_base_url: str, timeout: float = 10.0):
+    def __init__(
+        self, issuer_base_url: str, timeout: float = 10.0, verify_ssl: bool = True
+    ):
         self._issuer = issuer_base_url.rstrip("/")
         self._timeout = timeout
         self._config: OidcConfiguration | None = None
+        self._verify_ssl = verify_ssl
 
     async def get_config(self) -> OidcConfiguration:
         if self._config:
             return self._config
 
         url = f"{self._issuer}/.well-known/openid-configuration"
-        async with httpx.AsyncClient(timeout=self._timeout) as client:
+        async with httpx.AsyncClient(
+            timeout=self._timeout, verify=self._verify_ssl
+        ) as client:
             r = await client.get(url)
             r.raise_for_status()
             payload = r.json()
diff --git a/src/celine/sdk/settings/models.py b/src/celine/sdk/settings/models.py
@@ -10,6 +10,7 @@ class OidcSettings(BaseSettings):
     model_config = SettingsConfigDict(env_prefix="CELINE_OIDC_", extra="ignore")
 
     timeout: float = 10.0
+    verify_ssl: bool = Field(default=True, description="Verify TLS certificates")
 
     scope: str | None = Field(default=None, description="OAuth2 scope string")
 
