OIDC SSO in flask SSL certificate verify failed

Question

I have one flask powered app, I'm trying to enable OIDC SSO for this app. I opted for wso2 as the identity server. I have created a callback URL and added the needful things in both the Identity Server and the flask app as shown below. The app is able to flow through the credential logging page and after that, I'm getting an SSL certificate verification error.

My try:

• I have tried by using self signed certificates and app.run(ssl_context='adhoc') didn't worked.

Code Snippet:

from flask import Flask, g
from flask_oidc import OpenIDConnect
# import ssl

logging.basicConfig(level=logging.DEBUG)


app = Flask(__name__)

app.config.update({
    'SECRET_KEY': 'SomethingNotEntirelySecret',
    'TESTING': True,
    'DEBUG': True,
    'OIDC_CLIENT_SECRETS': 'client_secrets.json',
    'OIDC_ID_TOKEN_COOKIE_SECURE': False,
    'OIDC_REQUIRE_VERIFIED_EMAIL': False,

})
 
oidc = OpenIDConnect(app)

@app.route('/private')
@oidc.require_login
def hello_me(): 
    # import pdb;pdb.set_trace()
    info = oidc.user_getinfo(['email', 'openid_id'])
    return ('Hello, %s (%s)! <a href="/">Return</a>' %
            (info.get('email'), info.get('openid_id')))

if __name__ == '__main__':
    # app.run(host='sanudev', debug=True)
    # app.run(debug=True)
    # app.run(ssl_context='adhoc')
    app.run(ssl_context=('cert.pem', 'key.pem'))
    # app.run(ssl_context=('cert.pem', 'key.pem'))

Client Info:

{
    "web": {
        "auth_uri": "https://localhost:9443/oauth2/authorize",
        "client_id": "hXCcX_N75aIygBIY7IwnWRtRpGwa",
        "client_secret": "8uMLQ92Pm8_dPEjmGSoGF7Y6fn8a",
        "redirect_uris": [
            "https://sanudev:5000/oidc_callback"
        ],
        "userinfo_uri": "https://localhost:9443/oauth2/userinfo",
        "token_uri": "https://localhost:9443/oauth2/token",
        "token_introspection_uri": "https://localhost:9443/oauth2/introspect"
    }
}

App Info:

• python 3.8
• Flask 1.1.2

Answer 1

Hi Answering my own question just to reach the community effectively, here I can express where did I stuck and all the stories behind the fix.

TLDR:

The SSL issue was appearing because in OIDC flow wso2 server has to communicate or transfer secure-auth token only through the SSL tunnel. This is a mandatory standard need to keep for security purposes. Yes carbon server has SSL certificate (self signed one) to make the secure token transfer through SSL Tunnel client also has to make at least self-signed certificate configuration.

Since I was using the flask-oidc library there is a provision to allow that, please refer to the configuration here.

{
    "web": {
        "auth_uri": "https://localhost:9443/oauth2/authorize",
        "client_id": "someid",
        "client_secret": "somesecret",
        "redirect_uris": [
            "https://localhost:5000/oidc_callback"
        ],
        "userinfo_uri": "http://localhost:9763/oauth2/userinfo",
        "token_uri": "http://localhost:9763/oauth2/token",
        "token_introspection_uri": "http://localhost:9763/oauth2/introspect",
        "issuer": "https://localhost:9443/oauth2/token" # This can solve your issue
    }
}

For quick development purpose you can enable Secure connection in HTTPS by adding ad-hoc config in flask app run settings.

if __name__ == '__main__':
    # app.run(ssl_context=('cert.pem', 'key.pem')) # for self signed cert
    app.run(debug=True, ssl_context='adhoc') # Adhoc way of making https

Answer 2

Let me preface this answer with this one Caveat:

DO NOT DO THIS IN PRODUCTION ENVIRONMENTS

No, serously, do not do this in production, this should only be done for development purposes.

Anyways, open the oauth2client\transport.py file.

You're going to see this file location in your error that is spit out. for me it was in my anaconda env

AppData\Local\Continuum\anaconda3\envs\conda_env\lib\site-packages\oauth2client\transport.py

Find this line (line 73 for me)

def get_http_object(*args, **kwargs):
    """Return a new HTTP object.

    Args:
        *args: tuple, The positional arguments to be passed when
               contructing a new HTTP object.
        **kwargs: dict, The keyword arguments to be passed when
                  contructing a new HTTP object.

    Returns:
        httplib2.Http, an HTTP object.
    """
    return httplib2.Http(*args, **kwargs)

change the return to

return httplib2.Http(*args, **kwargs, disable_ssl_certificate_validation=True)

You may need to do the same thing to line 445 of flask_oidc/__init__.py

credentials.refresh(httplib2.Http(disable_ssl_certificate_validation=True))

Answer 3

Upgrading certifi package should solve the problem.

pip install --upgrade certifi

It worked for me when I faced the exactly the same issue.