diff --git a/app.py b/app.py
index b7aa3959f89627ae87e3959efd020200e1c339da..8f5cee366b2040c4d61a8c00ad5d1d965fa1c896 100644
--- a/app.py
+++ b/app.py
@@ -1,3 +1,4 @@
+import os
 from functools import wraps
 import secrets, json
 import urllib.parse
@@ -9,9 +10,9 @@ from requests_oauthlib import OAuth2Session
 app = Flask(__name__)
 app.secret_key = b'my secret'
 app.config['SESSION_COOKIE_NAME'] = 'oauth-session'
-app.config['OAUTH2_AUTH_URL'] = 'https://localhost:5001/oauth2/authorize'
-app.config['OAUTH2_TOKEN_URL'] = 'https://localhost:5001/oauth2/token'
-app.config['OAUTH2_USERINFO_URL'] = 'https://localhost:5001/oauth2/userinfo'
+app.config['OAUTH2_AUTH_URL'] = 'http://localhost:5001/oauth2/authorize'
+app.config['OAUTH2_TOKEN_URL'] = 'http://localhost:5001/oauth2/token'
+app.config['OAUTH2_USERINFO_URL'] = 'http://localhost:5001/oauth2/userinfo'
 
 @app.route("/auth")
 def auth():
@@ -37,7 +38,7 @@ def login():
 @app.route("/callback")
 def callback():
 	client = get_oauth(state=session.pop('state'))
-	token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'], client_secret=request.headers['X-CLIENT-SECRET'], authorization_response=request.url, verify=False)
+	token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'], client_secret=request.headers['X-CLIENT-SECRET'], authorization_response=request.url, verify=(not app.debug))
 	userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json()
 	session['user'] = userinfo['email']
 	return redirect(session.pop('url'))
@@ -75,4 +76,6 @@ a valid redirect_uri for the client_id.
 	return resp
 
 if __name__ == '__main__':
-	app.run(debug=True, host='localhost', port=5002, ssl_context='adhoc')
+	# oauthlib enforces the OAuth2.0 requirement to use HTTPS, when this is not set
+	os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # Don't do that in production!
+	app.run(debug=True, host='localhost', port=5002)
diff --git a/testapp/nginx.conf b/testapp/nginx.conf
index 284a5fd3a336f7b14ad7793867351f6a7d35d2a5..06c8b76887f81088d4544fec03fa0d2bbb7dc1a3 100644
--- a/testapp/nginx.conf
+++ b/testapp/nginx.conf
@@ -18,9 +18,11 @@ http {
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
-	ssl on;
-	ssl_certificate ../devcert.crt;
-	ssl_certificate_key ../devcert.key;
+	# OAuth2.0 mandates HTTPS for all involved services. OAuthProxy will refuse
+	# to work over unencrypted connections.
+	#ssl on;
+	#ssl_certificate mycert.crt;
+	#ssl_certificate_key myert.key;
 	server {
 		#listen 50004;
 		#listen [::]:5004;
@@ -39,17 +41,17 @@ http {
 		}
 
 		location /oauthproxy/ {
-			proxy_set_header X-REDIRECT-URI "https://localhost:5004/oauthproxy/callback";
+			# The OAuth client credentials must match those configured on the OAuth server.
+			proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback";
 			proxy_set_header X-CLIENT-ID "test";
 			proxy_set_header X-CLIENT-SECRET "testsecret";
 			proxy_set_header X-SCOPE "userinfo";
-			proxy_ssl_verify off;
-			proxy_pass https://localhost:5002/;
+			proxy_pass http://localhost:5002/;
 		}
 
 		error_page 401 = @error401;
 		location @error401 {
-			return 302 /oauthproxy/login?url=https://$http_host$request_uri;
+			return 302 /oauthproxy/login?url=http://$http_host$request_uri;
 		}
 
 	}