oauth regression: ssl verification error with self-signed certificate

[cheggerdev]

I use oauth login to pgAdmin in docker with self-signed certificate and Authentik as IdP.
SSL verification is disabled because of the self-signed certificate.

Docker compose environment variable:
PGADMIN_CONFIG_OAUTH2_SSL_CERT_VERIFICATION=False

OAuth login works fine up to version 9.10.
With Version 9.11 to 9.15 I get an SSL verification error.

To Reproduce

Steps to reproduce the behavior:

1. Install pgAdmin 9.10, configure oauth with self-signed certificate and login
2. Login works
3. Update to pgAdmin 9.11 or newer
4. Login fails

Expected behavior

OAuth login should work.

Error message

{"success":0,"errormsg":"HTTPSConnectionPool(host='authentik.example.com', port=443): Max retries exceeded with url: /application/o/pgadmin/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1081)')))","info":"","result":null,"data":null}

Desktop (please complete the following information):

• OS: Synology NAS
• pgAdmin version: 9.10 working, 9.11+ broken
• Mode: Server
• Browser (if running in server mode): Firefox 151.0.3
• Package type: docker compose container

[dpage]

Thanks for the detailed report. I've been digging into this and could use a bit more detail to pin down the root cause, because I haven't yet been able to reproduce it with a correctly-configured OAUTH2_SSL_CERT_VERIFICATION.

What I've checked so far:

• I reproduced the OIDC discovery fetch (.well-known/openid-configuration) against a self-signed endpoint using the Authlib versions pgAdmin has shipped across 9.10–9.16 (1.5.x, 1.6.5 — the version 9.11 pinned — and 1.7.x). In every case, when OAUTH2_SSL_CERT_VERIFICATION is the boolean False, the discovery fetch correctly skips certificate verification and succeeds.
• The error you're seeing ([SSL: CERTIFICATE_VERIFY_FAILED] ... Basic Constraints of CA cert not marked critical) is a genuine verification failure, i.e. verification is still on at the point of the request — which suggests the OAUTH2_SSL_CERT_VERIFICATION=False isn't being applied to that provider in your setup.

One important detail: pgAdmin reads OAUTH2_SSL_CERT_VERIFICATION per-provider, i.e. as a key inside each entry of OAUTH2_CONFIG — not as a standalone top-level setting. So a top-level PGADMIN_CONFIG_OAUTH2_SSL_CERT_VERIFICATION=False environment variable would be ignored.

To help me reproduce and fix the right thing, could you share:

1. Your OAUTH2_CONFIG entry for this provider (redact client id/secret), exactly as configured — in particular where OAUTH2_SSL_CERT_VERIFICATION sits and whether its value is the boolean false (e.g. in JSON) or the string "False".
2. How you set it: a JSON PGADMIN_CONFIG_OAUTH2_CONFIG, a mounted config_local.py/config_system.py, or individual env vars?
3. The exact pgAdmin image tag where it broke (e.g. dpage/pgadmin4:9.11) and, if you can, the Authlib version inside it (pip show authlib in the container).

With your provider config I can reproduce the exact failure and get a fix in. Thanks!

[cheggerdev]

To help me reproduce and fix the right thing, could you share:

1. Your OAUTH2_CONFIG entry for this provider (redact client id/secret), exactly as configured — in particular where OAUTH2_SSL_CERT_VERIFICATION sits and whether its value is the boolean false (e.g. in JSON) or the string "False".

        environment:
            - TZ=Europe/Berlin
            - PGADMIN_DEFAULT_EMAIL=${PGADMIN_DEFAULT_EMAIL}
            - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_DEFAULT_PASSWORD}
            - PGADMIN_LISTEN_PORT=80
            - PGADMIN_CONFIG_SERVER_MODE=True
            #- PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=True
            - PGADMIN_CONFIG_MASTER_PASSWORD=True
            - PGADMIN_CONFIG_AUTHENTICATION_SOURCES=['oauth2', 'internal']
            - PGADMIN_CONFIG_OAUTH2_NAME='authentik'
            - PGADMIN_CONFIG_OAUTH2_DISPLAY_NAME='Authentik'
            - PGADMIN_CONFIG_OAUTH2_CLIENT_ID='<<secret>>'
            - PGADMIN_CONFIG_OAUTH2_CLIENT_SECRET='<<secret>>'
            - PGADMIN_CONFIG_OAUTH2_TOKEN_URL='https://authentik.example.com/application/o/token/'
            - PGADMIN_CONFIG_OAUTH2_AUTHORIZATION_URL='https://authentik.example.com/application/o/authorize/'
            - PGADMIN_CONFIG_OAUTH2_SERVER_METADATA_URL='https://authentik.example.com/application/o/pgadmin/.well-known/openid-configuration'
            - PGADMIN_CONFIG_OAUTH2_API_BASE_URL='https://authentik.example.com/'
            - PGADMIN_CONFIG_OAUTH2_USERINFO_ENDPOINT='https://authentik.example.com/application/o/userinfo/'
            - PGADMIN_CONFIG_OAUTH2_SCOPE='openid email profile'
            - PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER=True
            - PGADMIN_CONFIG_OAUTH2_SSL_CERT_VERIFICATION=False
            - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

2. How you set it: a JSON PGADMIN_CONFIG_OAUTH2_CONFIG, a mounted config_local.py/config_system.py, or individual env vars?

individual env vars in the docker-compose.yml

3. The exact pgAdmin image tag where it broke (e.g. dpage/pgadmin4:9.11)

services:
    pgadmin:
        image: dpage/pgadmin4:9.11

and, if you can, the Authlib version inside it (pip show authlib in the container).

/pgadmin4 # pip show authlib
WARNING: Package(s) not found: authlib
/pgadmin4 # find / -type f -iname \*authlib\*
/venv/bin/google-oauthlib-tool

With your provider config I can reproduce the exact failure and get a fix in. Thanks!

👍