7

I've installed Flask-OIDC and am attempting to authenticate users with my company's service. I'm using a client_secrets.json file, which is being read, parsed and sent correctly for the client_id, client_secret, and other values. I am storing the redirect_uri variable in a line that looks like this:

"redirect_uris": ["https://example.com/_oid_response"],

When the request is sent to the authentication service, it's going out looking like this:

redirect_uri=http%3A%2F%2Fexample.com%2Foidc_callback

Any ideas what's going on here? There's no "oidc_callback" string in any of my app's files, in any of the json, in any of the info I used to register with the authentication provider. Is it not set correctly, or being overwritten by Flask or the Flask-OIDC library somewhere?

Eric
  • 127
  • 3
  • 7
  • Any luck getting this working? – Atif Aug 17 '17 at 14:56
  • 1
    @Atifm Nope, I ended up using a different library that was custom-written by a coworker for our particular OpenID connect stuff. Are you seeing the same issue? – Eric Aug 18 '17 at 16:00

2 Answers2

7

The Fix

Use OVERWRITE_REDIRECT_URI = 'https://www.your-server.com/your_oidc_callback_uri' inside configuration object (the same, where you keep SECRET_KEY or OIDC_SCOPES), e.g.:

app.config['OVERWRITE_REDIRECT_URI'] = 'https://www.your-server.com/your_oidc_callback_uri'

Why it works

The default behavior of Flask-OIDC is that it uses /_oidc_callback endpoint on the application server (specified with OIDC_CALLBACK_ROUTE), without changing the schema or authority part of URL.

The problems may arise for example when someone exposes his application via reverse proxy over https (for instance using nginx). The flask application itself does not know, that it is exposed via https, thus it uses just plain http URL.

The source of this behavior is located in Flask-OIDC's __init__py file, inside _flow_for_request(self) function.

def _flow_for_request(self):
    """
    Build a flow with the correct absolute callback URL for this request.
    :return:
    """
    flow = copy(self.flow)
    redirect_uri = current_app.config['OVERWRITE_REDIRECT_URI']
    if not redirect_uri:
        flow.redirect_uri = url_for('_oidc_callback', _external=True)
    else:
        flow.redirect_uri = redirect_uri
    return flow
Jack L.
  • 1,257
  • 2
  • 17
  • 37
  • 2
    Interestingly, although I did set `OVERWRITE_REDIRECT_URI`, I get another redirect after that to the http url (not the https url) – Martin Thoma Jul 29 '19 at 13:16
  • @MartinThoma are you sure that it's an issue on Flask's side (and not reverse proxy's)? – Jack L. Aug 07 '19 at 15:04
  • To fix that second redirect that goes to http instead of https, I used `flask-tallisman` that changes all redirects to https. – Tomasz Bekas Apr 03 '21 at 20:35
  • Did not work for me. See https://support.okta.com/help/s/question/0D54z00008KB6jpCAD/flaskoidc-does-not-work-as-expected-and-is-returning-redicrecturi-error?language=en_US – HX_unbanned Nov 02 '22 at 10:41
  • 1
    @HX_unbanned note that Flask-OIDC is terribly outdated, I would advocate against using it at all – Jack L. Dec 02 '22 at 09:34
  • 1
    @JackL. , I agree , but I still managed to get it working in my use case. So. Maybe I will migrate to Flask-Login .. but not now as other priorities are burning my butt ... – HX_unbanned Dec 06 '22 at 09:48
0

Eric, I understand you have to manage OIDC_CALLBACK_ROUTE setting to route to the required URL (see here http://flask-oidc.readthedocs.io/en/latest/). Flask OIDC defaults redirect uri to /oidc_callback

pavel
  • 1
  • 2
  • 1
    What is "the required URL"? – Martin Thoma Jul 29 '19 at 11:19
  • 1
    @Eric I am having the same exact issue. I set the OVERWRITE_REDIRECT_URI to my https load balancer on aws. This is my flow. I put the load balancer link on my URL. It redirects to the okta login page. Then I provide my credentials and then it goes to my flask app with a GET /oidc_callback which is returning a http:// with my load balancer URL. Anything I can do here ? Thanks in advance. – hopeIsTheonlyWeapon Jul 08 '20 at 13:28
  • @hopeIsTheonlyWeapon I am having the same issue while using it with AWS. were you able to solve it? – aykcandem Dec 14 '21 at 21:16