Flask-OIDC redirect_uri value being overwritten somewhere?
The Fix
Use OVERWRITE_REDIRECT_URI = 'https://www.your-server.com/your_oidc_callback_uri'
inside configuration object (the same, where you keep SECRET_KEY
or OIDC_SCOPES
), e.g.:
app.config['OVERWRITE_REDIRECT_URI'] = 'https://www.your-server.com/your_oidc_callback_uri'
Why it works
The default behavior of Flask-OIDC
is that it uses /_oidc_callback
endpoint on the application server (specified with OIDC_CALLBACK_ROUTE
), without changing the schema or authority part of URL.
The problems may arise for example when someone exposes his application via reverse proxy over https (for instance using nginx). The flask application itself does not know, that it is exposed via https, thus it uses just plain http URL.
The source of this behavior is located in Flask-OIDC's __init__py
file, inside _flow_for_request(self)
function.
def _flow_for_request(self): """ Build a flow with the correct absolute callback URL for this request. :return: """ flow = copy(self.flow) redirect_uri = current_app.config['OVERWRITE_REDIRECT_URI'] if not redirect_uri: flow.redirect_uri = url_for('_oidc_callback', _external=True) else: flow.redirect_uri = redirect_uri return flow
Eric, I understand you have to manage OIDC_CALLBACK_ROUTE setting to route to the required URL (see here http://flask-oidc.readthedocs.io/en/latest/). Flask OIDC defaults redirect uri to /oidc_callback