For the purpose of testing JWT authentication, we need to set a root CA used to validate the connections made to fetch the list of keys and the keys themselves.
The test had historically used SSLContext.get_cat_certs(), which would contain the root of trust loaded to validate the peer. The behaviour seems to have changed recently, and a large list (but not quite all the CA cert store) is returned instead.
In the absence of another API that can be used to conveniently fetch the root authority ultimately used to check the chain ending in a server's leaf cert, this PR hardcodes the Digicert Global Root CA, used by Entra. Although the hardcoding is unfortunate, the expiry date on the cert (2031) should mean that the test doesn't need updating for some time.
For the purpose of testing JWT authentication, we need to set a root CA used to validate the connections made to fetch the list of keys and the keys themselves.
The test had historically used
SSLContext.get_cat_certs(), which would contain the root of trust loaded to validate the peer. The behaviour seems to have changed recently, and a large list (but not quite all the CA cert store) is returned instead.In the absence of another API that can be used to conveniently fetch the root authority ultimately used to check the chain ending in a server's leaf cert, this PR hardcodes the Digicert Global Root CA, used by Entra. Although the hardcoding is unfortunate, the expiry date on the cert (2031) should mean that the test doesn't need updating for some time.