1

I know oauth2client is deprecated but still, that's the one we use. When I start the oauth2 process with Google, it always tries to redirect me to the HTTP version of my app.

I've seen the url_for method of Flask is supposed to be based on the request context and when I start the process (i.e. calling the oauth2authorize url), I am in HTTPS. So I don't understand why it passes a redirect_uri in HTTP...

This is the code of Flask

flow = client.OAuth2WebServerFlow(
            client_id=self.client_id,
            client_secret=self.client_secret,
            scope=scopes,
            state=state,
            redirect_uri=url_for('oauth2.callback', _external=True),
            **kw)

My app runs in App Engine flexible, if that helps. And I also tried to set the PREFERRED_URL_SCHEME of my Flask app to 'https'.

And in case that wasn't clear: I don't want the redirect_uri to be HTTP, my app is supposed to be HTTPS only ;-)

Valentin Coudert
  • 1,759
  • 3
  • 19
  • 44
  • Can you confirm that `print(url_for('oauth2.callback', _external=True))` gives you an https scheme? Also, do you have the https url in the authorised redirect uris in your Google OAuth setup? – djnz Jun 27 '19 at 21:15

1 Answers1

0

I think that it might be coming from the url_for method when using the _external=True that generates the absolute URL for the callback. This absolute URL may be getting a value of HTTP instead of HTTPS.

When using this _external=True you can add _scheme='https' which will force the generated URL to be HTTPS only. Here's an answer to a related question where they refer to this same error.

bhito
  • 2,083
  • 7
  • 13
  • Hello, There is no `handlers` section and so no `secure:always` in App Engine Flexible I'm afraid (https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml) – Valentin Coudert Aug 07 '19 at 09:13
  • True, I am sorry I totally missed that you were using flex, will edit the answer now! – bhito Aug 07 '19 at 09:24