added httplib as parameter

[databill86]

I've added http as a parameter to prevent the creation of a new Http() for every request.
This way, we can also disable ssl certificate verification:
oidc = OpenIDConnect(app, http=httplib2.Http(disable_ssl_certificate_validation=True))

[OneWithTheCore]

I think adding the ability to add an Http object is worthwhile, but disabling certificate verification any point is definitely a very bad idea, especially in an authentication flow. Self-signed certificates would be the only even remote exception, but you shouldn't be using a self-signed certificate on an authentication server, anyway.

[aaronjolson]

Why use self.http? Why does it need to be part of the class instance? Why not leave the scope local?

[svintit]

I agree with @OneWithTheCore, disabling certificate verification is not an option we want to enable.

@databill86 Regarding the HTTP parameter being set on the class instance, what use case do you have that this would be helpful with?

[jangaraj]

Disabling certificate verification is definitely a bad idea, but here it is only a option, which is is disabled by default (so default setup is a secure setup).
I would like to have it, because I'm in the env where I have deep packet inspection, so infosec replaces certs with own certs and it is a problem to sync certs in WSL2 with host OS, where Infosec certs are available.

[aaronjolson]

The Requests library has a verify=False optional parameter to skip SSL verification. I can imagine there being situations where skipping verification of SSL certs is necessary/useful.

[fredericoschardong]

This PR solves my issue. I have a self-signed certificate for my OIDC OP, which I could easily make it trustable with:

oidc = OpenIDConnect(app, http=httplib2.Http(ca_certs='...'))