From a1c98ca87be5223bae886d20e314e14fddf0851e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Han?= <seb@redhat.com>
Date: Fri, 10 Oct 2025 14:46:06 +0200
Subject: [PATCH] fix: disable TLS verification explicitly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If verify_tls is False we disable the cert verification in the ssl
context.

Signed-off-by: Sébastien Han <seb@redhat.com>
---
 .github/workflows/integration-auth-tests.yml |  1 -
 llama_stack/core/server/auth_providers.py    | 13 +++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/integration-auth-tests.yml b/.github/workflows/integration-auth-tests.yml
index ea3ff2b64..447e8c3fa 100644
--- a/.github/workflows/integration-auth-tests.yml
+++ b/.github/workflows/integration-auth-tests.yml
@@ -81,7 +81,6 @@ jobs:
           yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml
           yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml
           yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml
-          yq eval '.server.auth.provider_config.jwks.token = "${{ env.TOKEN }}"' -i $run_dir/run.yaml
           cat $run_dir/run.yaml
 
           # avoid line breaks in the server log, especially because we grep it below.
diff --git a/llama_stack/core/server/auth_providers.py b/llama_stack/core/server/auth_providers.py
index 8267daf09..9908a3f65 100644
--- a/llama_stack/core/server/auth_providers.py
+++ b/llama_stack/core/server/auth_providers.py
@@ -112,8 +112,17 @@ class OAuth2TokenAuthProvider(AuthProvider):
         try:
             if self._jwks_client is None:
                 ssl_context = None
-                if self.config.tls_cafile:
-                    ssl_context = ssl.create_default_context(cafile=self.config.tls_cafile.as_posix())
+                if not self.config.verify_tls:
+                    # Disable SSL verification if verify_tls is False
+                    ssl_context = ssl.create_default_context()
+                    ssl_context.check_hostname = False
+                    ssl_context.verify_mode = ssl.CERT_NONE
+                elif self.config.tls_cafile:
+                    # Use custom CA file if provided
+                    ssl_context = ssl.create_default_context(
+                        cafile=self.config.tls_cafile.as_posix(),
+                    )
+                # If verify_tls is True and no tls_cafile, ssl_context remains None (use system defaults)
 
                 self._jwks_client = jwt.PyJWKClient(
                     self.config.jwks.uri,