OIDC SSO in flask SSL certificate verify failed

ssl flask ssl-certificate openid-connect flask-oidc

Hi Answering my own question just to reach the community effectively, here I can express where did I stuck and all the stories behind the fix.

TLDR:

The SSL issue was appearing because in OIDC flow wso2 server has to communicate or transfer secure-auth token only through the SSL tunnel. This is a mandatory standard need to keep for security purposes.Yes carbon server has SSL certificate (self signed one) to make the secure token transfer through SSL Tunnel client also has to make at least self-signed certificate configuration.

Since I was using the flask-oidc library there is a provision to allow that, please refer to the configuration here.

{    "web": {        "auth_uri": "https://localhost:9443/oauth2/authorize",        "client_id": "someid",        "client_secret": "somesecret",        "redirect_uris": [            "https://localhost:5000/oidc_callback"        ],        "userinfo_uri": "http://localhost:9763/oauth2/userinfo",        "token_uri": "http://localhost:9763/oauth2/token",        "token_introspection_uri": "http://localhost:9763/oauth2/introspect",        "issuer": "https://localhost:9443/oauth2/token" # This can solve your issue    }}

For quick development purpose you can enable Secure connection in HTTPS by adding ad-hoc config in flask app run settings.

if __name__ == '__main__':    # app.run(ssl_context=('cert.pem', 'key.pem')) # for self signed cert    app.run(debug=True, ssl_context='adhoc') # Adhoc way of making https

ssl flask ssl-certificate openid-connect flask-oidc

Let me preface this answer with this one Caveat:

DO NOT DO THIS IN PRODUCTION ENVIRONMENTS

No, serously, do not do this in production, this should only be done for development purposes.

Anyways, open the oauth2client\transport.py file.

You're going to see this file location in your error that is spit out. for me it was in my anaconda env

AppData\Local\Continuum\anaconda3\envs\conda_env\lib\site-packages\oauth2client\transport.py

Find this line (line 73 for me)

def get_http_object(*args, **kwargs):    """Return a new HTTP object.    Args:        *args: tuple, The positional arguments to be passed when               contructing a new HTTP object.        **kwargs: dict, The keyword arguments to be passed when                  contructing a new HTTP object.    Returns:        httplib2.Http, an HTTP object.    """    return httplib2.Http(*args, **kwargs)

change the return to

return httplib2.Http(*args, **kwargs, disable_ssl_certificate_validation=True)

You may need to do the same thing to line 445 of flask_oidc/__init__.py

credentials.refresh(httplib2.Http(disable_ssl_certificate_validation=True))

CodeHunter

OIDC SSO in flask SSL certificate verify failed

DO NOT DO THIS IN PRODUCTION ENVIRONMENTS

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last