54

I have implemented an oauth2 server and an oauth2 client using flask-oauthlib.

When I am trying to test locally, the client returns an InsecureTransportError and tells me that I should be using https.

Is there a way to test the app locally without https?

The client is running on 127.0.0.2:5000 and the server is running on 127.0.0.1:5000.

Thanks

user2483431
  • 783
  • 2
  • 7
  • 11

3 Answers3

111

From http://requests-oauthlib.readthedocs.org/en/latest/examples/real_world_example.html:

You should note that Oauth2 works through SSL layer. If your server is not parametrized to allow HTTPS, the fetch_token method will raise an oauthlib.oauth2.rfc6749.errors.InsecureTransportError . Most people don’t set SSL on their server while testing and that is fine. You can disable this check in two ways:

  1. By setting an environment variable.
export OAUTHLIB_INSECURE_TRANSPORT=1
  1. Equivalent to above you can set this in Python (if you have problems setting environment variables)
# Somewhere in webapp_example.py, before the app.run for example
import os 
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
Sascha Gottfried
  • 3,303
  • 20
  • 30
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Just a comment, this same error, as well as the same solution can happen when running on gunicorn with nginx doing the SSL termination. This solution fixes the problem that the library somehow incorrectly things its on http... – mgmonteleone Jan 03 '17 at 00:28
  • Thank you for the tip. Do you know if `requests_oauthlib` is supposed to work with self signed certificates? I still had the insecure transport error after using one. I am wondering if it's normal or if I'm missing something. – Alexis.Rolland Dec 05 '18 at 01:50
  • 1
    Also, do you know what it means `If your server is not parametrized to allow HTTPS`? Is it different from just running my app with self signed certificate? – Alexis.Rolland Dec 05 '18 at 01:56
  • 2
    How come all answers show _OAUTHLIB_INSERCURE_TRANSPORT_ when the code says _AUTHLIB_...? https://github.com/lepture/authlib/blob/8234da2896c724e3c7c021984175d99f48ef5a70/authlib/common/security.py – Markus May 28 '19 at 12:13
  • It is possible to customize some of the security settings in OAuthLib using environment variables. You can use this to bypass some of OAuthLib’s security checks in order to run automated tests. Never bypass these checks in production. – Phoenix Jan 01 '20 at 13:08
  • The actual environment variable is `AUTHLIB_INSECURE_TRANSPORT` no `O` in front. See: https://github.com/authlib/example-oauth2-server/issues/38 – jshah Nov 23 '21 at 01:24
  • 1
    @Markus No OAUTHLIB is for oauthlib and AUTHLIB is for authlib, they are distinct packages. – Nic Szerman Jun 24 '22 at 19:58
26

For OAuth1 you can add setting

app.config.update({
    'OAUTH1_PROVIDER_ENFORCE_SSL': False
})

For OAuth2 you can setting in environment variable.

export OAUTHLIB_INSECURE_TRANSPORT=1

or in runtime

import os
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
faisal burhanudin
  • 1,101
  • 12
  • 16
13

For Authlib usesrs : 

export AUTHLIB_INSECURE_TRANSPORT=1

Or if you want to set it programmatically : 

import os

os.environ['AUTHLIB_INSECURE_TRANSPORT'] = '1'

I know it's not answering the question but everytime I ask Google about it I land on this page.

Leogout
  • 1,187
  • 1
  • 13
  • 32