okta
aiohttp and zero trust ssl verification issue
When one uses zero trust solutions like ZScaler or Netskope they act like a proxy and inject their own ssl certificate. This often results in ssl cert verification errors like
An error occurred: HTTPSConnectionPool(host='xxx.xxx.xxx', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1018)')))
The python requests library allows one to set an env variable for REQUESTS_CA_BUNDLE which it will load. You import the security vendor's root cert into certifi and point to it's truststore and the ssl verification succeeds.
I found a long bug thread for aiohttp discussing this, and they suggest ways to construct the sslContext for users of aiohttp to address this same concern without using ENV variables.
https://github.com/aio-libs/aiohttp/issues/3180
The problem is that one can't do this when aiohttp is used in some other project...in this case the okta client.
I am unable to use the okta client and have to rewrite everything using the requests library...which I have working.
Is there a way to configure the okta client to be aware of custom certs and pass them to aiohttp appropriately?
I will attempt this https://github.com/okta/okta-sdk-python/tree/master?tab=readme-ov-file#other-configuration-options