Flask-OIDC redirect_uri value being overwritten somewhere?

The Fix

Use OVERWRITE_REDIRECT_URI = 'https://www.your-server.com/your_oidc_callback_uri' inside configuration object (the same, where you keep SECRET_KEY or OIDC_SCOPES), e.g.:

app.config['OVERWRITE_REDIRECT_URI'] = 'https://www.your-server.com/your_oidc_callback_uri'

Why it works

The default behavior of Flask-OIDC is that it uses /_oidc_callback endpoint on the application server (specified with OIDC_CALLBACK_ROUTE), without changing the schema or authority part of URL.

The problems may arise for example when someone exposes his application via reverse proxy over https (for instance using nginx). The flask application itself does not know, that it is exposed via https, thus it uses just plain http URL.

The source of this behavior is located in Flask-OIDC's __init__py file, inside _flow_for_request(self) function.

def _flow_for_request(self):    """    Build a flow with the correct absolute callback URL for this request.    :return:    """    flow = copy(self.flow)    redirect_uri = current_app.config['OVERWRITE_REDIRECT_URI']    if not redirect_uri:        flow.redirect_uri = url_for('_oidc_callback', _external=True)    else:        flow.redirect_uri = redirect_uri    return flow

Eric, I understand you have to manage OIDC_CALLBACK_ROUTE setting to route to the required URL (see here http://flask-oidc.readthedocs.io/en/latest/). Flask OIDC defaults redirect uri to /oidc_callback